Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Ewido finds Worm.banwarum.f when I start computer


  • This topic is locked This topic is locked

#1
SamR

SamR

    Member

  • Member
  • PipPip
  • 10 posts
Hi, I got some adware on my computer last night that was trying to get me to install some adware removal tool and I found this forum while looking for a solution.
I've been through the "You must read this..." thread and have run Cleanup, Ad-aware SE, Spybot S&D, Ewido Anti-Malware and Trend Housecall which seem to have removed the intial problem but now everytime I start the computer, Ewido tells me that it has found a bad file called Worm.banwarum.f and do I want to remove it.
Thanks in advance for any help solving this issue.

Here's my Hijackthis log (run before allowing Ewido to remove the file):

Logfile of HijackThis v1.99.1
Scan saved at 4:01:32 PM, on 30/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sam\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cable.optusnet.com.au/
O2 - BHO: (no name) - {00F29DB3-72FB-7C2A-FB5C-017624F267C4} - C:\WINDOWS\system32\iqjuoyf.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clrevid.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\clrevid.dll,apeilag
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: MsugzonJU - {48D22CA0-E278-860A-2681-DB406DFF1922} - C:\WINDOWS\system32\tfy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

Advertisements


#2
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You have a couple of files on your PC that I would like to have checked.
Please go to Jotti's and click on the Browse... button at the top and navigate to the following files in turn, and then click on Submit:

C:\WINDOWS\system32\clrevid.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\iqjuoyf.dll


When all the scans have been completed, please copy and paste the results into your next reply.

If this site is busy, try VirusTotal: Click the Browse ... button at the top, navigate to the file and double click it and then click the Send button.

You may need to set Windows to show All Hidden Files and Folders - Instructions can be found here.
* These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after you have done.
*
  • 0

#3
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for replying. I've now scanned the 3 files using VirusTotal as Jotti's seems to be running at 100% service load. I scanned the first file last night and had to wait in a queue for about 40mins, but needed sleep, so left the other 2 for today.

Here are the results:

Complete scanning result of "clrevid.dll", received in VirusTotal at 09.30.2006, 19:01:42 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 09.30.2006 no virus found
Authentium 4.93.8 09.29.2006 no virus found
Avast 4.7.892.0 09.29.2006 no virus found
AVG 386 09.29.2006 no virus found
BitDefender 7.2 09.30.2006 no virus found
CAT-QuickHeal 8.00 09.30.2006 no virus found
ClamAV devel-20060426 09.30.2006 no virus found
DrWeb 4.33 09.30.2006 no virus found
eTrust-InoculateIT 23.73.10 09.30.2006 no virus found
eTrust-Vet 30.3.3106 09.30.2006 no virus found
Ewido 4.0 09.30.2006 no virus found
Fortinet 2.82.0.0 09.30.2006 suspicious
F-Prot 3.16f 09.29.2006 no virus found
F-Prot4 4.2.1.29 09.29.2006 no virus found
Ikarus 0.2.65.0 09.29.2006 no virus found
Kaspersky 4.0.2.24 09.30.2006 no virus found
McAfee 4863 09.29.2006 no virus found
Microsoft 1.1603 09.30.2006 no virus found
NOD32v2 1.1784 09.29.2006 a variant of Win32/TrojanDownloader.Busky.AZ
Norman 5.90.23 09.29.2006 no virus found
Panda 9.0.0.4 09.30.2006 no virus found
Symantec 8.0 09.30.2006 no virus found
TheHacker 6.0.1.088 09.30.2006 no virus found
UNA 1.83 09.29.2006 no virus found
VBA32 3.11.1 09.29.2006 no virus found
VirusBuster 4.3.7:9 09.30.2006 no virus found


Aditional Information
File size: 94720 bytes
MD5: 3bc41dc0d5f86ff828e9d182c1f9167e
SHA1: 1ef2a4cf963ebe164c7e77e42bd6183f721dae58
packers: embedded


Complete scanning result of "winsys2f.dll", received in VirusTotal at 10.01.2006, 05:44:50 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709


Complete scanning result of "iqjuoyf.dll", received in VirusTotal at 10.01.2006, 05:47:52 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 09.30.2006 no virus found
Authentium 4.93.8 09.29.2006 no virus found
Avast 4.7.892.0 09.29.2006 no virus found
AVG 386 09.29.2006 no virus found
BitDefender 7.2 10.01.2006 no virus found
CAT-QuickHeal 8.00 09.30.2006 no virus found
ClamAV devel-20060426 10.01.2006 no virus found
DrWeb 4.33 09.30.2006 Trojan.DownLoader.based
eTrust-InoculateIT 23.73.10 09.30.2006 no virus found
eTrust-Vet 30.3.3106 09.30.2006 no virus found
Ewido 4.0 09.30.2006 no virus found
Fortinet 2.82.0.0 09.30.2006 suspicious
F-Prot 3.16f 09.29.2006 no virus found
F-Prot4 4.2.1.29 09.29.2006 no virus found
Ikarus 0.2.65.0 09.29.2006 no virus found
Kaspersky 4.0.2.24 10.01.2006 no virus found
McAfee 4863 09.29.2006 no virus found
Microsoft 1.1603 10.01.2006 no virus found
NOD32v2 1.1784 09.29.2006 probably a variant of Win32/TrojanDownloader.Busky.AZ
Norman 5.90.23 09.29.2006 no virus found
Panda 9.0.0.4 09.30.2006 no virus found
Sophos 4.10.0 09.30.2006 no virus found
Symantec 8.0 10.01.2006 no virus found
TheHacker 6.0.1.088 09.30.2006 no virus found
UNA 1.83 09.29.2006 no virus found
VBA32 3.11.1 09.29.2006 no virus found
VirusBuster 4.3.7:9 09.30.2006 no virus found


Aditional Information
File size: 72704 bytes
MD5: b3a29bce81b75a4030cecde9989b4e82
SHA1: 8115c6566e04534d779ccf655dca5d171b9fe049
packers: embedded
  • 0

#4
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
You look like you've found a few new nasties - congrats!

Right click an empty area of your Desktop and from the menu that appears click New > Compressed (zipped) Folder - the default name will be fine.
Copy and paste the following file(s) into this folder:


C:\WINDOWS\system32\clrevid.dll
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\iqjuoyf.dll


Once you have done this, open the folder, if it isn't already, and click File > Add a Password...
Enter infected (all lower case) into the Password: textbox, confirm it in the box underneath, and then click OK.

I'll PM you the address to send the folder to, thanks.
  • 0

#5
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Ahh, great... more new nasties.
I managed to add 2 of the 3 files to a zipped folder but I got an error when trying to add the winsys2f.dll file, is this because the file size is 0 bytes? I've sent the zip file to the address you PM'd me.

Thanks again for your help.
  • 0

#6
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
Some nasties are resistant to be moved around, but this isn't a major problem. When you delete the file with Killbox, see below, there will be a backup saved in the C:\!KillBox folder that will be created. If you could send a copy of the file from there, that would be grand.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I'll post the instructions in three parts as this is easier for me. Carry out them all and post as required.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You are running HJT from an unsafe location. An easy way to correct this is to do the following:

Download a copy of HJTsetup.exe from here and save it to your Desktop.
  • Double click HJTsetup.exe to begin installation.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the prompts from there.
  • At the final dialogue box uncheck the box to the left of "Launch Hijackthis" and then click Finish
Do this BEFORE you proceed!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Download KillBox.zip by Option^Explicit from here and save it to your Desktop.
You will need to extract the file(s) from the zipped folder.

To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish


You should now see the contents of the KillBox folder.

2) IMPORTANT
Close all other open windows and programs because this will require a reboot.
  • Double click KillBox.exe to run it.
  • Click the radio button to the left of 'Delete on Reboot', then 'copy and paste' the following line into the 'Full Path of File to Delete' textbox:

    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

  • Once you have done this, you should see an option "Unregister .dll before Deleting" turn from grey to black - check the box to the left of it.
  • Click on the red and white 'X' button.
  • First you will be asked to confirm that 'All listed Files will be Deleted on Next Reboot' - click on Yes.
  • Next you will be asked to 'Files will be Removed on Reboot, Do you want to reboot now?' - click on Yes
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message, just restart manually.
* If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and then run missingfilesetup.exe - then try Killbox again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido anti-spyware from here and save it to your Desktop.
If you already have this program installed, skip to Updating Ewido: below.

* Please note that these instructions are for the new version - Ewido anti-spyware. If you have the old version - Ewido anti-malware and it is the:
  • paid-for version - you will need to go here and obtain an updated license code before you upgrade.
  • free version - you will need to uninstall it and reboot before installing the new version.
Double click the ewido-setup file to begin installation and follow the prompts.
When the program has been installed, and you click the Finish button, Ewido anti-spyware will open.
  • Updating Ewido:

    By default Ewido is configured to update automatically so, if you have an active internet connection, it should do so following installation. If you are unsure whether or not it has done so, do the following:
  • Click the Update icon at the top and under "Manual Update" - click the Start update button.
  • Either Ewido will update or inform you that no update was available.
  • If you cannot access the internet with the infected PC, or you are having problems updating, you can download the signatures file from here.
    Once you have installed Ewido, double click ewido-signatures-full-current.exe to update it.

    Disabling the Resident Shield:
  • By default the Resident Shield is active but as it may interfere with the process of cleaning your PC, it will need to be disabled.
    (When the PC has been cleaned you can activate the shield again, if you wish.)
  • Click the Shield icon at the top and under "Resident shield is..." - click active.
  • This should now change to inactive.

    Changing Recommended Actions
  • Click the Scanner icon at the top and then click the Settings Tab.
  • Under "How to act?" click Recommended actions and select "Quarantine" from the menu.
You can now close Ewido anti-spyware.

Ewido anti-spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that Ewido will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now button.


2) You will need to know how to boot into Safe Mode.
Instructions can be found here.

3) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {00F29DB3-72FB-7C2A-FB5C-017624F267C4} - C:\WINDOWS\system32\iqjuoyf.dll

O4 - HKLM\..\Run: [clrevid.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\clrevid.dll,apeilag

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll


I can't find out any information about the following line, which usually means it's malicious, but if you recognize it then leave it alone:

O21 - SSODL: MsugzonJU - {48D22CA0-E278-860A-2681-DB406DFF1922} - C:\WINDOWS\system32\tfy.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Ensure that ALL open Windows / Programs / Folders are closed and then run Ewido anti-spyware.
  • If it is not already selected, click the Scanner icon at the top and then select the Scan Tab.
  • Click "Complete System Scan"
  • While the scan is in progress the PC should be left otherwise idle - so if you fancy a cuppa, now's the time to put the kettle on!
  • When the scan has completed, any threats that Ewido has detected will be displayed.
  • Click the Apply all actions button at the bottom.
  • When Ewido has finished, it will display the message "All actions have been applied".

    Saving a report:
  • Click the Save Report button at the bottom left and the "Reports" window will open.
  • The content of the scan report will be displayed in the right hand pane and a copy will be automatically saved as Report-Scan-date-time.txt into the C:\Program Files\ewido anti-spyware 4.0\Reports folder.
  • You will need to post a copy of this report into your next reply, so if it is more convenient, you can save another copy of this report elsewhere:
    Click the Save report as button and select a destination by clicking the down arrow to the right of the Save in: text box and then click Save.
Close Ewido Anti-Spyware.

7) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\system32\clrevid.dll

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'


8) Boot into Normal Mode.

Post a new HJT log, the Ewido log AND a description of how your PC is running.
  • 0

#7
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK, I've followed your instructions and it would seem we've managed to remove those 3 files as they are no longer in their respective folders after restarting.
I assumed in Step 7 of Removal that you wanted me to delete both C:\WINDOWS\system32\clrevid.dll and C:\WINDOWS\system32\iqjuoyf.dll and that they should be deleted completely, not just sent to the Recycle bin.

How my computer is now running:
With Ewido's Resident Shield set to active, when I restart the computer, Ewido still finds the Malware that it was originally complaining about: Worm.Banwarum.f and states it's location as C:\WINDOWS\system32\adir.dll. I guess we still haven't fixed this problem...

Edit: apart from that, all seems to be working OK. I was previously getting installers popping up every now and then trying to get me to install software, but I've been using the computer for a few hours now without any signs of an installer.

Thanks for your ongoing assistance, it's much appreciated.


Here's the Ewido log from the scan you requested:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:06:56 PM 2/10/2006

+ Scan result:


C:\Documents and Settings\Sam\Cookies\sam@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\sam@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\sam@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Cookies\sam@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).


::Report end


And here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:22:57 PM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cable.optusnet.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by SamR, 02 October 2006 - 05:57 AM.

  • 0

#8
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts

Ewido still finds the Malware that it was originally complaining about: Worm.Banwarum.f and states it's location as C:\WINDOWS\system32\adir.dll.

I don't understand how Ewido can be detecting this nasty. If it can see it, it should be able to delete it, or at the very least try, fail, and make a record in it's log - the log shows only tracking cookies.
Reboot your PC and when Ewido tells you that it has found a problem, run a full scan in Normal Mode and see if it detects and removes it.
If it doesn't, manually delete the file: C:\WINDOWS\system32\adir.dll.
If it won't go that way, use Killbox as you did previously and let that deal with it.

Let me know how you get on.
  • 0

#9
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I don't understand how Ewido didn't pick it up either as the Resident shield was inactive so when I booted into Safe mode, Ewido didn't automatically find the file C:\WINDOWS\system32\adir.dll and display the warning (see attached screenshot), so I didn't "Clean and quarantine" the file before starting the scan and so it should have been there for Ewido to find.

I've just run another scan in Normal mode and all that Ewido found was one tracking cookie, but I hadn't taken any action on the Ewido warning that first came up (screenshot). Should I have told Ewido to Ignore the file before running the scan?
I've also just had a look manually for the file and can't find it at the specified location with the warning still "active".

So, should I "Ignore" the file and then search for it manually and/or run a full system scan?

Edit:

I "ignored" the file and still wasn't able to find it at the above location, but out of curiosity I had a look at another file, C:\WINDOWS\system32\2236_32.dll and noticed that it had the same date stamp and almost the same time as the 3 earlier files that we removed and didn't seem to have any information like the other proper files do. I then went and scanned it via VirusTotal and from the result it looks to me like it's a virus:

Complete scanning result of "2236_32.dll", received in VirusTotal at 10.03.2006, 15:00:43 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 10.03.2006 HEUR/Crypted
Authentium 4.93.8 10.02.2006 no virus found
Avast 4.7.892.0 10.03.2006 no virus found
AVG 386 10.02.2006 Proxy.FSY
BitDefender 7.2 10.03.2006 DeepScan:Generic.Malware.SMw.049711F3
CAT-QuickHeal 8.00 10.03.2006 no virus found
ClamAV devel-20060426 10.03.2006 no virus found
DrWeb 4.33 10.03.2006 Trojan.Proxy.1087
eTrust-InoculateIT 23.73.11 10.02.2006 no virus found
eTrust-Vet 30.3.3113 10.03.2006 no virus found
Ewido 4.0 10.02.2006 no virus found
Fortinet 2.82.0.0 10.03.2006 Spam_DComServ!tr
F-Prot 3.16f 10.02.2006 no virus found
F-Prot4 4.2.1.29 10.02.2006 no virus found
Ikarus 0.2.65.0 10.03.2006 no virus found
Kaspersky 4.0.2.24 10.03.2006 no virus found
McAfee 4864 10.02.2006 Spam-DComServ
Microsoft 1.1603 10.03.2006 Agent.NN (threat-c)
NOD32v2 1.1787 10.02.2006 no virus found
Norman 5.90.23 10.03.2006 no virus found
Panda 9.0.0.4 10.02.2006 no virus found
Sophos 4.10.0 10.03.2006 no virus found
Symantec 8.0 10.03.2006 Hacktool.Spammer
TheHacker 6.0.1.089 10.02.2006 no virus found
UNA 1.83 10.03.2006 no virus found
VBA32 3.11.1 10.03.2006 no virus found
VirusBuster 4.3.7:9 10.02.2006 no virus found


Aditional Information
File size: 157184 bytes
MD5: 73d92080623b268560b5356c0de995c4
SHA1: 1d858cd29fd3f7258bd46865c5e9f096e63ed69c
packers: UPX

I then went and searched for other files in C:\WINDOWS\system32 that had a similar time date stamp and came across 6 other files created/modified at the same time as or 1 minute later than the 3 original files.
They are:
C:\WINDOWS\system32\dlh9jkdq8.exe Modified 30/09/2006 12:41am
C:\WINDOWS\system32\image.gif.exe Modified 30/09/2006 12:42am
C:\WINDOWS\system32\inistone.ini Modified 30/09/2006 12:42am
C:\WINDOWS\system32\kr_done1 Modified 30/09/2006 12:42am
C:\WINDOWS\system32\vx.tll Modified 30/09/2006 12:41am
C:\WINDOWS\system32\wbem\Logs\FrameWork.log Modified 30/09/2006 12:41am

Do any of these files pose a threat? Can they be removed? What action, if any, should I take on these files and the other file, C:\WINDOWS\system32\2236_32.dll?

Thanks again for your help and for your patience.

Attached Thumbnails

  • ewido.JPG

Edited by SamR, 03 October 2006 - 10:57 AM.

  • 0

#10
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I don't know what's going on with your PC but as DrWeb identifies the file that you submitted, we'll give the stand-alone tool a go and see what it turns up.
The instructions for this are hot off the press as the interface has been updated since I last used it, so i'd be grateful if you'd let me know how easy they are to follow and also if there is anything I missed out that you would have liked to have been told, thanks. :whistling:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download Dr Web Cureit from here and save it to your Desktop.

2) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Double click drweb-cureit.exe to begin - the program takes a few seconds to open so give it time.
  • Click Start.
  • When a new window appears, click OK to start the express scan - this will only take a short while.
  • If anything is found, click Yes when you are asked if you want to Cure?
  • Once the express scan has finished, click the Select drives button on the left - this will place a red dot over all of your hard drives.
  • Click the green arrow on the right and the main scan will begin.
  • If you see a pop-up informing you of an infected file and asking if you want to Cure? or Move?, click Yes to All.
  • Now all you can do is wait while the scan completes as it needs no further action on your part.
  • Once the scan has completed, you may see a list of infected files appear.
    • If so, there will be a button to the left of them that resembles a pile of papers with a red tick on top - click it.
    • A green dot will appear over each of the file icons and also light up four more buttons.
    • You need to click the second one down that resembles a green cup and select Move incurable from the menu that appears.
  • Then from the main menu (top left), click File > Save report list.
  • You will need to change the filename from DrWeb to "DrWeb.txt" - it is important that you include the quotes.
  • Click Save and the report will be saved by default to My Documents although you can save it elsewhere if you wish.
  • Close DrWeb Cureit.
2) Reboot your PC.

Post a fresh HJT log, the contents of DrWeb.txt AND a description of how your PC is running.
  • 0

Advertisements


#11
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK, I followed your instructions and Dr Web Cureit found a whole pile of trojans/adware. The first file it found was in the backups folder in HJT.
I didn't delete the 2nd file it found as I'm pretty sure it's supposed to be there (something to do with the game Half-life).

When I restarted my computer, Ewido no longer complained about the file C:\WINDOWS\system32\adir.dll, but did bring up a similar warning about another file, I forget it's name but it was in the same folder and was a .exe file. It seems that Ewido has managed to "Clean and quarantine" it as it is no longer there after restarting the computer yet again.

So my computer seems to be running OK at the moment, I haven't had any warnings pop up or anything which is a good sign.

The instructions for Dr Web Cureit were straightforward and easy to follow, the only thing I would suggest is that in the instructions for changing the file name of the report list from Dr Web to "Dr Web.txt", instead of saying it's important to include the quotes, it should read "it is important that you include the quotation marks". It took me a moment to realise that's what it meant.

Thanks very much for your assistance and I hope that there are no more issues with my computer.

Any recommendations for Anti-virus software as I don't like Norton, it's quite slow?


Here's the Dr Web log:

backup-20061002-170456-938.dll;C:\Program Files\Hijackthis\backups;Trojan.DownLoader.based;Deleted.;
hltv.exe;C:\SIERRA\Half-Life;Tool.ProxyHLTV;;
A0052132.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.EmailSpy;Deleted.;
A0052129.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.PWS.Micro;Deleted.;
A0052116.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.EmailSpy;Deleted.;
A0052104.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Joke.WinDel;Incurable.Moved.;
A0052103.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Adware.Aureate;Incurable.Moved.;
A0052102.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Adware.Aureate;Incurable.Moved.;
A0052101.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.9540;Deleted.;
A0052100.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.based;Incurable.Moved.;
A0052099.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.12041;Deleted.;
A0052098.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.12995;Deleted.;
A0052097.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.Proxy.1052;Deleted.;
A0052096.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.Proxy.899;Deleted.;
A0052091.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Dialer.Member;Deleted.;
A0052089.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.based;Incurable.Moved.;
A0052088.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.based;Incurable.Moved.;
A0052087.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.12453;Deleted.;
A0052086.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.Fakealert;Deleted.;
A0052085.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.Fakealert;Deleted.;
A0052084.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.11981;Deleted.;
A0052082.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.PWS.Micro;Deleted.;
A0052080.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.Proxy.1154;Deleted.;
A0052076.exe;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.9540;Deleted.;
A0052074.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.DownLoader.4998;Deleted.;
A0050397.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Adware.Aureate;Incurable.Moved.;
A0048031.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP814;Trojan.PWS.Micro;Deleted.;
A0052325.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP815;Trojan.PWS.Micro;Deleted.;
A0052309.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP815;Trojan.DownLoader.based;Deleted.;
A0052295.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP815;Trojan.PWS.Micro;Deleted.;
A0052287.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP815;Trojan.PWS.Micro;Deleted.;
A0052450.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP817;Trojan.DownLoader.based;Deleted.;
A0052449.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP817;Trojan.PWS.Micro;Deleted.;
A0052430.dll;C:\System Volume Information\_restore{3309E206-96B2-432C-9B80-6ADCF472D1E1}\RP817;Trojan.PWS.Micro;Deleted.;
image.gif.exe;C:\WINDOWS\system32;Trojan.EmailSpy;Deleted.;
2236_32.dll;C:\WINDOWS\system32;Trojan.Proxy.1087;Deleted.;

Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:35:56 PM, on 4/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cable.optusnet.com.au/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [adir] C:\WINDOWS\system32\adirss.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
  • 0

#12
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I've altered the instructions - thanks. :whistling:

There are just the files that you identified previously to deal with:

C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\inistone.ini
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\vx.tll


You can delete all of these manually.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You have a number of free choices with regard to AVs:

Avg Free Edition: Available here.
avast! 4 Home Edition: Available here
AntiVir PersonalEdition Classic :Available here

While you can download them all to see which one you prefer, only install one at a time - running two or more anti-virus programs simultaneously can cause conflicts resulting in less, not more, protection.

I'll also give you the latest offering from AOL: http://blogs.pcworld...ves/002573.html
As the article says, it's based on Kaspersky's AV which is well thought of, but you may not be fond of AOL as they aren't everybody's top team.

I have used AVG in the past, so I can offer that one with some experience but I have NOD32 installed at the moment which i'm happy with, but free is always good.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I want you to run your PC as normal for a few days. When you are happy that everything is fine, do the following:

Update your anti-virus program,
Disable System Restore,
Boot into Safe Mode,
Scan your computer for viruses.
When you get the all clear, reboot into Normal Mode.
Re-enable System Restore,
Create a Restore Point.
This will give a clean Restore Point should you need it in the future.
A tutorial for System Restore is available here.

The reason for waiting is that if removing the malware has caused a problem, which it occasionally does, you can put your PC back to how it was before the fix. This will re-install the malware, but an infected PC is better than an expensive paperweight!

Some bedtime reading: This is a very good tutorial about keeping your computer safe and secure on the internet.
  • 0

#13
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK, I've deleted those files without any issues.

Great, I'll have a look at those AVs and pick one that suits me. What about firewalls? I've heard of Zone Alarm, is it any good?

I'll let you know how I go when I reset the System Restore point. I noticed that Dr Web found a lot of viruses in one of the system restore folders.

Once I'm sure the computer is clean, I'll make sure I back up all the important personal files that I was thinking I really should get around to backing up a bit before this problem occured :whistling: I already had some files backed up, but not everything. We only just recently changed from dial-up to broadband...

Thanks once again for your help, it is very much appreciated :blink:
  • 0

#14
Noviciate

Noviciate

    Confused Helper

  • Malware Removal
  • 1,567 posts
I use it on both my PCs if that's any recommendation.
  • 0

#15
SamR

SamR

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
OK I've installed Zone Alarm and AVG after removing Norton and everything seems to be running smoothly. So in a couple of days I'll reset the system restore point.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP