Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Malware troubles

Started by k8yse , Apr 28 2005 09:09 PM

  • Please log in to reply

#16
k8yse
Posted 03 May 2005 - 06:05 AM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Installed Ewido and got the updates. Then it came up with a screen that says infected file found. The file name was yealfm.exe in the sys32 folder. It is a Trojan Agent.cp I took the default "clean" option. Then it said to complete cleaning I need to reboot. Selected ok and then it found another Trojan Agen.db, DrPMon.dll Cleaned that. Then it found Bolger.dll in C:\Winnt a Spyware Betterinternet. Cleaned that. Then it found yealfm.exe again. Cleaned that and it found the same file again. Cleaned that and then there were no more infections found.

Then I clicked the start scan. All options were already checked.
During this scan, it found:
[email protected](1).txt in the Cookies, infection: spyware tracking cookie.
administrator@exitexchange(1).txt in the Cookies, spyware tracking cookie
[email protected](2).txt in Cookies, spyware tracking cookie
[email protected](1).txt

bb.exe in the temp directory TrojanDownloader.Adload.a
SilentInstallW32.exe Spyware.GogoTools.d
Del77B.tmp TrojanDownloader.Small.asf
thnall2c.exe Spyware BetterInternet
thnall2c.exe Spyware BetterInternet
thnall2c.exe Spyware BetterInternet
f238110144.exe Trojan Downloader .Qoologoc.i
f452831.exe Trojan Downloader .Qoologoc.i
f871413.exe
first.exe Spyware.F1Organizer.h
i15.tmp Spyware SurfSide.a
ll3DA.tmp Spyware.Sahat.m
ms14.tmp TrojanDropper.SurfSide.a
ms7D.tmp TrojanDropper.Small.gl
msA.tmp Spyware.F1Organizer.h
msC.tmp
msdioo.exe Trojan.Small.i
ridemarketing-v5.exe TrojanDownloader.Delmed.a
rming.exe
Then I gave up writing this down. Hopefully this will all be in the log file.

When the scan reached 92%, a program error occured. SecuritySuite.e.exe
had generated errors and will be closed by Windows. The mouse locked up.
No response from the keyboard. ctrl-alt-delete did not work. Had to shut down
manually.

When it rebooted, security suite launched during boot and found svcproc.exe
as a Trojan.Stervis.c
As it continued to boot, it found Nail.exe a Trojan.Nail
Then the boot completed.
Restarted the Ewido. It had a summary that it found 331 infections.
Then restarted the scan.

Got to 92percent again was in C:\Program Files\FwBarTemp\searchbar.exe
Same thing, program locks up, mouse locks up, keyboard locks up. Had
to turn off computer.
Still get the svchost.exe generated erros and will be closed.
two dos windows open kmnmak.exe and iptp.exe I click close and computer continues to boot. Active desktop needed to be restored.

Launched ewido. Now it says it has found 567 infected files. Start the scanner again. Finds fsg-ag.exe

The program runs. I try to stop the program at 91.9% but it doesn't want to stop. Then it finds C:\winnt\system32\javex80.vxd a file inside an archive whcih cannot be cleaned. Do you want to delete the whole archive? answered: delete Then security suite again generates errors and must be closed. But this time the machine does not lock up.

Start program again. Now we have 747 infected files found. Program reaches 85% before finding any problem files (Bargainbuddy). Program again generates
errors around 92% and closes but does not lock up. We got two other files inside archives before it stopped.

Restarted program. Now we have found 765 files. This time we reached the end without a crash. Log file saved but only 16 files in the report.

Reboot. Still get the svchost.exe generated errors and will be shut down plus
the two dos windows that have kmnmak.exe and iptp.exe as their title. Clicked close on both and boot continues.

Scan Report from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:50:33 AM, 5/3/2005
+ Report-Checksum: 5CD3C98D

+ Date of database: 5/3/2005
+ Version of scan engine: v3.0

+ Duration: 195 min
+ Scanned Files: 68942
+ Speed: 5.87 Files/Second
+ Infected files: 16
+ Removed files: 16
+ Files put in quarantine: 16
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINNT\system32\mac80ex.idf/C:/WINNT/system32/msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\msbe.dll -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\WINNT\system32\msdioo.exe -> Trojan.Small.i -> Cleaned with backup
C:\WINNT\system32\nsj5.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsj71B.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsl3.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsn3.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nso732.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\system32\nsvsvc\nsv.ocx -> Spyware.DelphinMediaViewer.c -> Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvs.dll -> Spyware.DelphinMedia.f -> Cleaned with backup
C:\WINNT\system32\q17i9a4j.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\WINNT\system32\rhghere.dll -> TrojanDownloader.Qoologic.i -> Cleaned with backup
C:\WINNT\system32\rtneg2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINNT\unadbeh.exe -> TrojanDropper.Win32.Small.wc -> Cleaned with backup


::Report End

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:56 AM, on 5/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [a4advi41] C:\Program Files\a4advi41\a4advi41.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmnmak.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: iptp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)

Thanks!
  • 0

Advertisements

#17
k8yse
Posted 03 May 2005 - 07:10 AM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ran Ewido again and it found 5 more files:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:11:51 AM, 5/3/2005
+ Report-Checksum: 61D0A1E3

+ Date of database: 5/3/2005
+ Version of scan engine: v3.0

+ Duration: 56 min
+ Scanned Files: 68940
+ Speed: 20.40 Files/Second
+ Infected files: 5
+ Removed files: 5
+ Files put in quarantine: 5
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINNT\system32\exdl.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINNT\system32\exdl0.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINNT\system32\exdl1.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINNT\system32\exdl2.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\WINNT\system32\mqexdlm.srg -> Spyware.BargainBuddy.q -> Cleaned with backup


::Report End

Thanks.
  • 0

#18
don77
Posted 03 May 2005 - 06:40 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John we will need to run through this again,
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINNT\system32\kmnmak.exe
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\Program Files\a4advi41\a4advi41.exe
    • c:\winnt\system32\tfzxiv.exe
    • C:\WINNT\system32\a5wu37rd.exe
    • C:\WINNT\system32\AUNPS2.dll
    • C:\WINNT\system32\first.exe
    • C:\WINNT\system32\kbvbg.dat
    • C:\WINNT\system32\kmnmak.exe
    • C:\WINNT\system32\locate.com
    • C:\WINNT\system32\msdjgk.dll
    • C:\WINNT\system32\mseggo.gif
    • C:\WINNT\system32\msfaol.dll
    • C:\WINNT\system32\msiaih.dll
    • C:\WINNT\system32\msnimk.gif
    • C:\WINNT\system32\second.exe
    • C:\WINNT\system32\tfzxiv.exe
    • C:\WINNT\system32\third.exe
    • C:\WINNT\system32\upapo.dll
    • C:\WINNT\system32\winup2date.dll
    • C:\WINNT\system32\wmconfig.cpl
    • C:\WINNT\system32\elitebgs32.exe
    • C:\WINNT\system32\elitelda32.exe
    • C:\WINNT\del.tmp
    • C:\WINNT\Nail.exe
    • C:\WINNT\nvksjiuvbik.exe
    • C:\WINNT\svcproc.exe
    • C:\WINNT\tsc.exe
    • C:\WINNT\vsapi32.dll
    • C:\WINNT\wupdsnff.exe
    • C:\WINNT\protector_update.exe
    • C:\Documents and Settings\All Users\Start Menu\Programs\Startup\iptp.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\WINNT\system32\mrorxmx.exe
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

  • 0

#19
k8yse
Posted 03 May 2005 - 09:33 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
killbox ran successfully, and reboot was normal.
The svchost generated errors message came up again,
then the two dos windows, kmnmak.exe and iptp.exe
clicked close to terminate application as before.

ran qoologic2. got 16bit ms-dos subsystem window:
c:\WINNT\system32\cmd.exe
C:\WINNT\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications Choose 'Close' to terminate the application.

Clicked "close". Got the same window again. clicked "close" , Got same window again, clicked "close" clicked "close" 17 more times. Then notepad opened with a text file:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Instant Wireless Configuration Utility.lnk
iptp.exe
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 23:27
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]


Then I ran Hijack this just in case you wanted it again:

Logfile of HijackThis v1.99.1
Scan saved at 11:33:55 PM, on 5/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [a4advi41] C:\Program Files\a4advi41\a4advi41.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmnmak.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: iptp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe (file missing)

Thanks again.

John
  • 0

#20
don77
Posted 03 May 2005 - 10:28 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Ok John,
Print out these instructions please, I need you to do a few things here please,

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

System Startup Service

or

SvcProc

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

SvcProc
Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Next,
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "C:\WINNT\system32\kmnmak.exe " box.
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for this files:
    • C:\Program Files\a4advi41\a4advi41.exe
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top " C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ iptp.exe " box.
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots,
  • Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINNT\Bolger.dll (file missing)
    O4 - HKLM\..\Run: [a4advi41] C:\Program Files\a4advi41\a4advi41.exe
    O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\kmnmak.exe
    O4 - Global Startup: iptp.exe

  • Reboot your computer
  • please run Find-Qoologic2.bat again and post the new log here.
  • and a fresh HJT log
  • and a fresh RKFiles log

  • 0

#21
k8yse
Posted 04 May 2005 - 10:13 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
At the final reboot, the svchost.exe error message came up but the 16bit dos windows did not. When I ran qoologic2, I got the 16bit MS-DOS Subsystem window comes up with the error:
c:\WINNT\system32\cmd.exe
C:\WINNT\system32\autoexec.nt. The system file is not suitable for running MS-DOS and Microsoft Windows applications Choose 'Close' to terminate the application.

I clicked close to terminate and the error message came up in the dos window several times:
The process cannot access the file because it is being used by another process.
After the 7th time I hit close I saw:

'reg' is not recognized as an internal or external command, operable program or batch file.

The logfile window opened up. I moved on to the next step.

Here's the qoologic file:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Instant Wireless Configuration Utility.lnk
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 22:32
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:39:10 PM, on 5/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe

LogRK file:

C:\Antispyware\RKFiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye


Thanks.

John
  • 0

#22
k8yse
Posted 04 May 2005 - 10:22 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Forgot to meniton:

I rebooted the computer and I still get the error message that svshost.exe has generated errors and will be closed by windows. No dos windows open.

John
  • 0

#23
don77
Posted 05 May 2005 - 04:47 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK John we are getting there,
Please go Here Scroll down the page and follow and run the FixBlast.exe tool.

Everything else at this point looks good,
  • 0

#24
k8yse
Posted 05 May 2005 - 06:07 AM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I ran the w.32.blaster removal tool. It finished with the message that W.32.Blaster has not been found on your computer.

I rebooted and boot was normal except for that svchost.exe has generated errors and will be closed by windows message.

Thanks.

John
  • 0

#25
don77
Posted 05 May 2005 - 06:44 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
check windows for updates

http://v5.windowsupd...t.aspx?ln=en-us


Let me know how you make out
  • 0

Advertisements

#26
k8yse
Posted 05 May 2005 - 03:45 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I ran Housecall while I was gone and it found one file in Docs & Settings/administrator tht was a troj.small.i which is now named vbs.inor.c
I deleted it.

Then I ran Windows update and installed 5 updates, one for sp1 ie6, 3 for win2000 and one for BITS.

I'm thinking about uninstalling McAfee and going with AVG as recommended on your website. Would you recommend that I buy the subscription to EWIDO? rather than spywareblaster etc? I'll also start using foxfire as a web browser and email client rather than IE and Outlook.

that svchost.exe generated errors and will be closed by windows still comes up at bootup. Any way to get rid of that?

So far so good. Thanks.

John
  • 0

#27
don77
Posted 05 May 2005 - 05:37 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

I'm thinking about uninstalling McAfee and going with AVG as recommended on your website. Would you recommend that I buy the subscription to EWIDO? rather than spywareblaster etc?


Uninstalling McAfee is your choice, Buying a subscription to Ewido again is your choice, I run spyware blaster and knock knock knock on wood have had no problems,,,
  • Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

  • Unzip/extract the files inside to a folder on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
  • Then post the results here please, along with the new HijackThis log.

that svchost.exe generated errors and will be closed by windows still comes up at bootup. Any way to get rid of that?


Lets see if findit shows us anything,
  • 0

#28
k8yse
Posted 05 May 2005 - 07:31 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ran findits.bat. First 16bit md-dos subsystem window opened up with
C:\winnt\system32\cmd.exe
C:\winnt\system32\autoexec.nt The system file is not suitable for running MS-DOS and Microsoft Windows applicaitons. Choose "close" to terminate the application.

I chose "close" 34 times. then it said press any key to continue. Then we got
'reg' is not recognized as an internal or external command, operable program or batch file multiple times in the window.

The log file opened.

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Thu 05/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\SYSTEM32

04/02/2005 07:43p <DIR> cache32_rtneg
04/18/2005 03:09p <DIR> cache32_rtneg2
04/20/2005 08:27p <DIR> cache32_rtneg3
04/10/2005 09:22a <DIR> cache32_rtneg4
0 File(s) 0 bytes
4 Dir(s) 14,357,131,264 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\system32

04/20/2005 08:27p 3,262 bingo_big2.ico
03/30/2005 08:37a 2,238 Casino-on-Net.ico
04/30/2005 11:06p 3,262 creditcard32123123123asdsa.ico
03/30/2005 08:38a 3,774 Free Cell Phone.ico
03/30/2005 08:37a 7,358 Free LapTop Computer.ico
03/30/2005 08:37a 7,358 Free Picture iPod.ico
03/30/2005 08:38a 3,774 Free Ringtones!.ico
03/30/2005 08:37a 7,358 Free Sony Playstation.ico
03/30/2005 08:38a 3,774 Free Starbucks Coffee.ico
03/30/2005 08:37a 7,358 Free U2 iPod.ico
04/20/2005 08:27p 4,286 greenmovie2313asaadsasfad.ico
04/30/2005 11:06p 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/10/2005 09:22a 3,262 kas pink1233aadsfa.ico
04/19/2005 04:30p 3,262 kas pink1233aadsfa1.ico
04/18/2005 03:09p 3,262 kas pink1233aadsfa12.ico
04/07/2005 06:59p 4,286 kevid231231aa.ico
04/30/2005 11:06p 3,262 kill popups.ico
04/28/2005 10:51p 3,262 kill spyware1.ico
04/30/2005 11:06p 4,286 mp3red51aads.ico
04/20/2005 08:27p 4,286 mp3red51aads1.ico
03/30/2005 08:37a 3,774 NBA Giveaway.ico
04/02/2005 04:54p 12,862 Party Poker.ico
03/30/2005 08:37a 3,774 PartyPoker.com.ico
04/02/2005 05:41p 4,286 pop up blaster1232131.ico
04/10/2005 09:22a 3,262 popupkiller2asdf.ico
04/19/2005 04:30p 3,262 popupkiller2asdf1.ico
04/02/2005 05:41p 2,238 red_kas1.ico
04/30/2005 11:06p 2,238 red_kas21.ico
04/02/2005 04:54p 204,862 Smiley Central.ico
04/02/2005 04:53p 49,062 The Shield Professional 2005.ico
04/30/2005 11:06p 3,262 vh e233.ico
04/10/2005 09:21a 19,942 virus hunter yeah1.ico
32 File(s) 400,080 bytes
0 Dir(s) 14,357,131,264 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:53 PM, on 5/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\VsStat.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Vshwin32.exe
C:\PROGRA~1\NETWOR~1\VIRUSS~1\Avconsol.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Internet Downloads\HiJackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\PROGRA~1\NETWOR~1\VIRUSS~1\avsynmgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: McShield - Network Associates, Inc. - C:\PROGRA~1\COMMON~1\NETWOR~1\McShield\mcshield.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe

Just a note to say that IE takes a while to launch. About 13 seconds before the window actually appears and another 10 seconds for a webpage to display. Once launched it then displays pages rather quickly. Just sluggish on startup. I notice that on other tasks like screen properties etc. It seems as if there is something else at work here. But it is liveable.

Thanks.

John
  • 0

#29
don77
Posted 05 May 2005 - 08:19 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
See this Article for the 16bit md-dos issue,

Next reboot to safe mode, open C:\WINNT\SYSTEM32 search for and remove the following from it,

bingo_big2.ico
Casino-on-Net.ico
creditcard32123123123asdsa.ico
Free Cell Phone.ico
Free LapTop Computer.ico
Free Picture iPod.ico
Free Ringtones!.ico
Free Sony Playstation.ico
Free Starbucks Coffee.ico
Free U2 iPod.ico
greenmovie2313asaadsasfad.ico
greenmovie2313asaadsasfad112341231adsfa.ico
kas pink1233aadsfa.ico
kas pink1233aadsfa1.ico
kas pink1233aadsfa12.ico
kevid231231aa.ico
kill popups.ico
kill spyware1.ico
mp3red51aads.ico
mp3red51aads1.ico
NBA Giveaway.ico
Party Poker.ico
PartyPoker.com.ico
pop up blaster1232131.ico
popupkiller2asdf.ico
popupkiller2asdf1.ico
red_kas1.ico
red_kas21.ico
Smiley Central.ico
The Shield Professional 2005.ico
vh e233.ico
virus hunter yeah1.ico

Reboot, Run findit again please post back a fresh log
  • 0

#30
k8yse
Posted 05 May 2005 - 09:59 PM

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
There were three ico files that could not be deleted. They were all zero byte files:
NBA Giveaway
Party Poker
PartyPoker.com

When I ran findit. I got the error msg again and
"the process cannot access the file because it is being used by another process"
repeatedly.

then I got the 'reg' is not recognized as an internal or external command, operable program or batch file.
repeatedly.

Before doing this I did uninstall mcafee antivirus and installed the free version of avg. I ran avg and it found 13 trojan files, all were in the docs & setting/administrator/temp directory or the cache directory. All were deleted.
Housecall apparently did not find these when I ran the scan on the internet this morning.

Didn't do anything with the md-dos window link that you sent. I noticed it was for winxp but one of the links talked about w2kserver and in that article it said that it applied to w2k.

Findit log:


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Thu 05/05/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first





»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\SYSTEM32

04/02/2005 07:43p <DIR> cache32_rtneg
04/18/2005 03:09p <DIR> cache32_rtneg2
04/20/2005 08:27p <DIR> cache32_rtneg3
04/10/2005 09:22a <DIR> cache32_rtneg4
0 File(s) 0 bytes
4 Dir(s) 14,248,607,744 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»».


Thanks.

John
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP