Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Throwing in the towel [resolved]


  • This topic is locked This topic is locked

#31
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

TBPS INI 849 03-20-05 12:32a TBPS.ini
MJVBVM60 DLL 227,104 03-18-05 9:08p Mjvbvm60.dll
2 file(s) 227,953 bytes
0 dir(s) 20,803.28 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 04-07-05 7:03p nsvsvc
PICSVR <DIR> 03-26-05 8:25p picsvr
ATMENUXX GID 10,842 11-10-04 12:48p ATMenuxx.GID
CPAHLENU GID 10,825 02-23-02 8:53p CPAHLENU.GID
FOLDER HTT 13,122 10-04-01 7:35p folder.htt
DESKTOP INI 266 10-04-01 7:35p desktop.ini
4 file(s) 35,055 bytes
2 dir(s) 20,803.25 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416097EE-FC4A-E167-6011-AF6C211AC428}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mjvbvm60.dll Fri Mar 18 2005 9:08:46p ..S.R 227,104 221.78 K
tbps.ini Sun Mar 20 2005 12:32:02a ..S.R 849 0.83 K

2 items found: 2 files, 0 directories.
Total of file sizes: 227,953 bytes 222.61 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\unadbeh.exe: c:\Projects\Gozo\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

Advertisements


#32
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:33:09 AM, on 4/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
  • 0

#33
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
  • Click killbox.exe.
  • Select the option Replace on Reboot
  • Check the "End Explorer Shell While Killing File" box
  • Now copy the next bold:
C:\WINDOWS\SYSTEM\mjvbvm60.dll
C:\WINDOWS\unadbeh.exe
  • Open file in the killboxmenu on top and choose Paste from clipboard
  • Now you will see, this is pasted in the "Full Path of File to Delete"-field.
    There's a little arrow (dropdown-arrow) next to that field.
    If you expand it, all these must be there together!
  • Then press the button that looks like a red circle with a white X in it.
  • Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
  • When it asks if you would like to Reboot now, click YES
(if you don't get the prompt: would you like to reboot now, reboot manually!)

Your computer must reboot now.

Ignore the errors you get... this is normal.
  • After that please run find.bat again and post a new log (output.txt).
  • Also post a new HijackThis log!
Didom
  • 0

#34
didom

didom

    Member 1K

  • Member
  • PipPipPipPip
  • 1,919 posts
  • Click killbox.exe.
  • Select the option "Standard file kill"
  • Check the "End Explorer Shell While Killing File" box
  • Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\SYSTEM\mjvbvm60.dll
  • Then press the button that looks like a red circle with a white X in it.
  • Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
  • When it asks if you would like to Reboot now, click NO
  • Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINDOWS\unadbeh.exe
  • Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
  • When it asks if you would like to Reboot now, click YES
(if you don't get the prompt: would you like to reboot now, reboot manually!)

Your computer must reboot now.

Ignore the errors you get... this is normal.
  • After that please run find.bat again and post a new log (output.txt).
  • Also post a new HJT log!
Didom

Edited by didom, 08 April 2005 - 10:53 AM.

  • 0

#35
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

TBPS INI 849 03-20-05 12:32a TBPS.ini
MJVBVM60 DLL 227,104 03-18-05 9:08p Mjvbvm60.dll
AKI3DRAA DLL 227,104 03-18-05 9:08p AKI3DRAA.DLL
3 file(s) 455,057 bytes
0 dir(s) 20,807.44 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 04-07-05 7:03p nsvsvc
PICSVR <DIR> 03-26-05 8:25p picsvr
ATMENUXX GID 10,842 11-10-04 12:48p ATMenuxx.GID
CPAHLENU GID 10,825 02-23-02 8:53p CPAHLENU.GID
FOLDER HTT 13,122 10-04-01 7:35p folder.htt
DESKTOP INI 266 10-04-01 7:35p desktop.ini
4 file(s) 35,055 bytes
2 dir(s) 20,807.41 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416097EE-FC4A-E167-6011-AF6C211AC428}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
mjvbvm60.dll Fri Mar 18 2005 9:08:46p ..S.R 227,104 221.78 K
tbps.ini Sun Mar 20 2005 12:32:02a ..S.R 849 0.83 K
aki3draa.dll Fri Mar 18 2005 9:08:46p ..S.R 227,104 221.78 K

3 items found: 3 files, 0 directories.
Total of file sizes: 455,057 bytes 444.39 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\unadbeh.exe: c:\Projects\Gozo\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#36
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
User is being helped in the chatroom...

* Click killbox.exe.
* Select the option "Standard file kill"
* Check the "End Explorer Shell While Killing File" box
* Copy and paste the following file to the field labeled "Full path of file to delete"

C:\WINDOWS\SYSTEM\mjvbvm60.dll

Click the red button now.
When you get an error that the file couldn't be deleted, select the option 'delete a file on reboot' , click the red button and it will tell you the file will be deleted on next reboot. Do not reboot yet!!

Now copy and paste next in the field:

C:\WINDOWS\SYSTEM\aki3draa.dll

Again, choose "standard kill file", select the option: "end explorer shell while killing file" and click the red button.

If you also get an error, the file couldn't be deleted, select the 'delete on reboot'-option and click the red button.

REBOOT!!

Post a new findit-log in your next reply.
  • 0

#37
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

TBPS INI 849 03-20-05 12:32a TBPS.ini
1 file(s) 849 bytes
0 dir(s) 20,834.97 MB free

------- Hidden Files in System Directory -------


Volume in drive C has no label
Volume Serial Number is 401E-1AD8
Directory of C:\WINDOWS\SYSTEM

NSVSVC <DIR> 04-07-05 7:03p nsvsvc
PICSVR <DIR> 03-26-05 8:25p picsvr
ATMENUXX GID 10,842 11-10-04 12:48p ATMenuxx.GID
CPAHLENU GID 10,825 02-23-02 8:53p CPAHLENU.GID
FOLDER HTT 13,122 10-04-01 7:35p folder.htt
DESKTOP INI 266 10-04-01 7:35p desktop.ini
4 file(s) 35,055 bytes
2 dir(s) 20,834.94 MB free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416097EE-FC4A-E167-6011-AF6C211AC428}"=""


------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM\
tbps.ini Sun Mar 20 2005 12:32:02a ..S.R 849 0.83 K

1 item found: 1 file, 0 directories.
Total of file sizes: 849 bytes 0.83 K

------------ Strings.exe Qoologic Results ------------

C:\WINDOWS\unadbeh.exe: c:\Projects\Gozo\Qoologic\PopupClient\FancyUninstall\Release\FancyUninstall.pdb

-------------- Strings.exe Aspack Results -------------


----------------- HKLM Run Key ------------------

-------------- Strings.exe Umonitor Results -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AtiPTA"="Atiptaxx.exe"
"HPAIO_PrintFolderMgr"="C:\\WINDOWS\\SYSTEM\\hpoopm07.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"WinPatrol"="C:\\PROGRAM FILES\\BILLP STUDIOS\\WINPATROL\\winpatrol.exe"
"Symantec Core LC"="C:\\Program Files\\Common Files\\Symantec Shared\\CCPD-LC\\symlcsvc.exe start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"



  • 0

#38
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:26:34 AM, on 4/10/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\WINDOWS\SYSTEM\HPOOPM07.EXE
C:\PROGRAM FILES\BROADJUMP\CLIENT FOUNDATION\CFD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBRWICON.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPODEV07.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOEVM07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOSTS07.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET K SERIES\BIN\HPOFXM07.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YBROWSER.EXE
C:\PROGRAM FILES\YAHOO!\BROWSER\YCOMMON.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:2323
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_12_0.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet K Series\bin\hpodev07.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\WINDOWS\SYSTEM\SHDOCVW.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
  • 0

#39
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Dangerousthing was helped in chat with the fixes in hijackthis and deleting the C:\WINDOWS\unadbeh.exe
Now still a little regfix.

Open notepad and copy and paste next content in the white field in it:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{416097EE-FC4A-E167-6011-AF6C211AC428}"=-

Save this as fix.reg ,choose to save as *all files and place it on your desktop.
Doubleclick on fix.reg and if asked if you want to add the contents to the registry, click yes/ok

Now didom will finish this thread. :tazz:

Edited by miekiemoes, 10 April 2005 - 10:55 AM.

  • 0

#40
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
:tazz: Hi guys....a new day has dawned. I am running a BitDefender Scan which has me befuddled...

So far, I have: 6 Identified Viruses
6 Total Virus Bodies
1 Deleted
5 Moved
1 Suspect
4 I/O Errors

The ones that are moved show "disinfection failed". They show in the status column as: Suspect Trojan.Downloader.Small.., Infected Application.Adware.Power, Infected Trojan.Dropper.Small.OF, Infected Trojan.Downloader.Small, Infected Trojan.Delpro.A, Infected Adware.Wheaterbug.A

Infected Adware.BetterInet.B
was deleted....

Is this cause for concern? How can I stop this garbage from getting on this machine?

Edited by DangerousThing, 11 April 2005 - 09:57 AM.

  • 0

Advertisements


#41
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
:tazz: Just for kicks.....her is the scan results from BitDefender. BTW, the scan took almost 11 hours to run! Is this normal, and are these results any cause for concern?

Please advise, and thanks.


//-----------------------------------------------------------------
//
// BitDefender report file
//
// Created on: 11/04/2005 08:24:58
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 4838
Files : 677242
Archives : 2205
Packed files : 52004
Identified viruses : 6
Infected files : 7
Warnings : 0
Suspect files : 1
Disinfected files : 0
Deleted files : 1
Copied files : 0
Moved files : 5
Renamed files : 0
I/O errors : 4
Scan time : 10:52:44
Scan speed (files/sec) : 17

Virus definitions : 120941
Scan plugins : 13
Archive plugins : 38
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\SYSTEM\winup2date.dll Suspect Trojan.Downloader.Small.Gen
C:\WINDOWS\SYSTEM\winup2date.dll Disinfection failed
C:\WINDOWS\SYSTEM\winup2date.dll Moved
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe Infected Application.Adware.PowerReg.3.0
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe Disinfection failed
C:\WINDOWS\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\21HER6TS\AppWrap[1].exe Infected Trojan.Dropper.Small.OF
C:\WINDOWS\Temporary Internet Files\Content.IE5\21HER6TS\AppWrap[1].exe Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\21HER6TS\AppWrap[1].exe Moved
C:\WINDOWS\appsetup.exe Infected Trojan.Downloader.Small.ACO
C:\WINDOWS\appsetup.exe Disinfection failed
C:\WINDOWS\appsetup.exe Moved
C:\WINDOWS\isrvs\edmond.exe Infected Trojan.Delprot.A
C:\WINDOWS\isrvs\edmond.exe Disinfection failed
C:\WINDOWS\isrvs\edmond.exe Moved
C:\WINDOWS\ceres.dll Infected Adware.BetterInet.B
C:\WINDOWS\ceres.dll Deleted
C:\My Documents\My Pictures\Install_AIM.exe=>wise0041=>wise0008 Infected Adware.Wheaterbug.A
C:\My Documents\My Pictures\Install_AIM.exe=>wise0041=>wise0008 Disinfection failed
C:\My Documents\My Pictures\Install_AIM.exe=>wise0041=>wise0008 Move failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Infected Adware.Wheaterbug.A
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Disinfection failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008 Move failed
Scanned files
  • 0

#42
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Can you manually delete those files? (Where it says: 'Move failed')
If not, try it in safe mode.

Where it said moved.. look if it's present in your quarantaine-option in bitdefender and delete everything that's in there.

I also see some traces from qoologic, so please perform next:

Download FindQoologic.zip save it to your Desktop.
http://forums.net-in...=post&id=134981

Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
wait until a text opens, post it in a reply to your thread.
  • 0

#43
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»


* ad-beh C:\WINDOWS\TYRHRTG.DLL
* ad-beh C:\WINDOWS\ARUPU.DLL
* ad-beh C:\WINDOWS\VZKMKV.EXE
* ad-beh C:\WINDOWS\BAMRMBO.EXE
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL
* ad-beh C:\WINDOWS\system\WMCONFIG.CPL

»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\POWERR~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 09:01
Operating System: Windows 98


This script requires WMI, which can be downloaded at: http://tinyurl.com/jbxe
  • 0

#44
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Ok.. killboxing again:

Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\TYRHRTG.DLL
C:\WINDOWS\ARUPU.DLL
C:\WINDOWS\VZKMKV.EXE
C:\WINDOWS\BAMRMBO.EXE
C:\WINDOWS\system\WMCONFIG.CPL


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES, if you don't get that question, reboot manually.
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

When rebooted, post a new findqoologic-log.
  • 0

#45
DangerousThing

DangerousThing

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 259 posts
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»



»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe C:\WINDOWS\startm~1\programs\startup\POWERR~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
"Find activesetup", version1, launched at: 09:26
Operating System: Windows 98
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP