Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware troubles


  • Please log in to reply

#31
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry about that John

To resolve this issue, type the following commands at a command prompt to expand the Autoexec.nt, Command.com, and Config.nt files from the Windows 2000 or Windows Server 2003 installation CD-ROM to the Windows\System32 or Winnt\System32 folder. Press ENTER after you type each command. When you type these commands, replace cd-rom with the letter for your CD-ROM drive, drive_letter with the drive letter for your system partition, and system_root with the name of your Windows 2000 or Windows Server 2003 folder (this is typically either Winnt or Windows). After you type these commands, restart your computer:

Expand d:\i386\config.nt_ c:\winnt\system32\config.nt

expand d:\i386\autoexec.nt_ c:\winnt\system32\autoexec.nt

expand d:\i386\command.co_ c:\winnt \system32\command.com

NOTE:

1. d:\ is your CD-ROM drive letter (Change as necessary)
2. If c:\winnt\system32\config.nt does not work, try c:\winnt\system32\config, autoexec, command, etc.
  • 0

Advertisements


#32
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Now we are getting somwhere. I expanded those files.....I had to experiment some because it seems like the case of some of the directories etc. had to be in caps or it didn't work. Got them all expanded into the system32 directory.

Ran findits and this time there were no dos window errors. It took quite a while to run this program. When it finished and said press any key to continue, I did get the lines:

'reg' is not recognized as an internal or external command, operable program or batch file.

Qoologic2 also had the same problem with the 16bit dos window. Should I run that one again now that the dos window problem is fixed?

Here's the findits log:


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Fri 05/06/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINNT\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINNT\System32\4L6J3UM2.EXE
* SAHAgent C:\WINNT\F7HFI032.EXE
* SAHAgent C:\WINNT\System32\4L6J3UM2.INI
* SAHAgent C:\WINNT\System32\70TOVMTO.INI
* SAHAgent C:\WINNT\System32\AP9H4QMO.INI
* SAHAgent C:\WINNT\System32\F7HFI032.INI
* SAHAgent C:\WINNT\System32\JCJODD2N.INI
* SAHAgent C:\WINNT\System32\Q17I9A4J.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\SYSTEM32

04/02/2005 07:43p <DIR> cache32_rtneg
04/18/2005 03:09p <DIR> cache32_rtneg2
04/20/2005 08:27p <DIR> cache32_rtneg3
04/10/2005 09:22a <DIR> cache32_rtneg4
0 File(s) 0 bytes
4 Dir(s) 14,250,786,816 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»».

Here'a another Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 2:00:40 AM, on 5/6/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181.../proxy/CCMP.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn...UC/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = uanet.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = uanet.edu
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hummingbird Inetd (HCLInetd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\system32\ibmpmsvc.exe
O23 - Service: Hummingbird Jconfig Daemon (Jconfigd) - Hummingbird Ltd. - C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. - C:\WINNT\system32\dllcache\aysshell.exe


Still get the svshost.exe error at bootup.

Hope this helps.

Thanks.

John
  • 0

#33
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
I ran another ewido. It found some BetterInternet files. Ewido has been running in the background so I don't know where these came from.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:04:05 AM, 5/6/2005
+ Report-Checksum: C3172BC4

+ Date of database: 5/6/2005
+ Version of scan engine: v3.0

+ Duration: 81 min
+ Scanned Files: 69651
+ Speed: 14.28 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Administrator\Local Settings\Temp\GEW\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\HZJ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\JAT\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\LEA\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\seedcorn_MediaAccessInstPack.exe -> Spyware.WinAD.am -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\THB\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\UNU\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\VPC\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\VVC\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\WMB\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\XZA\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\Administrator\Local Settings\Temp\YHQ\aurareco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINNT\system32\Cache\thin-8-3-x-x.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End

thanks.

John
  • 0

#34
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Thats good news,

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINNT\System32\4L6J3UM2.EXE
C:\WINNT\F7HFI032.EXE
C:\WINNT\System32\4L6J3UM2.INI
C:\WINNT\System32\70TOVMTO.INI
C:\WINNT\System32\AP9H4QMO.INI
C:\WINNT\System32\F7HFI032.INI
C:\WINNT\System32\JCJODD2N.INI
C:\WINNT\System32\Q17I9A4J.INI

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.


Please run Qoologic2 again as well and post back the log, along with a fresh findit,

Also
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Generate StartupList Log button.
  • Once you click the button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste the contents back to this post please

  • 0

#35
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
No files were found on the first Killbox pass.
Entered all the files again for delete on reboot.
Popup said PendingFileRenameOperations Registry Data has been Removed by External Process! I clicked OK.
Ran Killbox again, it did its verifying thing again and then displayed the
same error message above.

Rebooted the computer. Got the svchost.exe error message again.

Qoologic2:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* urllogic C:\WINNT\ZHKHR.DLL
* qoologic C:\WINNT\ZHKHR.DLL

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Instant Wireless Configuration Utility.lnk
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 20:40
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]


Findit:


Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Fri 05/06/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINNT\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINNT\System32\4L6J3UM2.EXE
* SAHAgent C:\WINNT\F7HFI032.EXE
* SAHAgent C:\WINNT\System32\4L6J3UM2.INI
* SAHAgent C:\WINNT\System32\70TOVMTO.INI
* SAHAgent C:\WINNT\System32\AP9H4QMO.INI
* SAHAgent C:\WINNT\System32\F7HFI032.INI
* SAHAgent C:\WINNT\System32\JCJODD2N.INI
* SAHAgent C:\WINNT\System32\Q17I9A4J.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\SYSTEM32

04/02/2005 07:43p <DIR> cache32_rtneg
04/18/2005 03:09p <DIR> cache32_rtneg2
04/20/2005 08:27p <DIR> cache32_rtneg3
04/10/2005 09:22a <DIR> cache32_rtneg4
0 File(s) 0 bytes
4 Dir(s) 14,249,869,312 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»».


Hijack Startup:

StartupList report, 5/6/2005, 8:59:56 PM
StartupList version: 1.52.2
Started from : C:\Internet Downloads\HiJackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
LTWinModem1 = ltmsg.exe 9
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{1D0D9077-3798-49BB-9058-393499174D5D}]
CODEBASE = file://c:\counter.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.googl...n/GoogleNav.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[CCMPGui Class]
InProcServer32 = C:\WINNT\System32\ccmp392.dll
CODEBASE = http://64.124.45.181.../proxy/CCMP.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.googl...gleActivate.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8444.6929861111

[MSN Photo Upload Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.groups.msn...UC/MsnPUpld.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

xifwts = C:\WINNT\system32\xifwts.exe

--------------------------------------------------

End of report, 6,213 bytes
Report generated in 0.481 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


Hope this helps. Thanks.

John
  • 0

#36
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
Added a couple more to the list to be killed with killbox, Might be helpful to print this out so your sure to get them,
After your done please post back a fresh findit, Qoologic2, RKFiles log please,*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINNT\System32\4L6J3UM2.EXE
C:\WINNT\F7HFI032.EXE
C:\WINNT\System32\4L6J3UM2.INI
C:\WINNT\System32\70TOVMTO.INI
C:\WINNT\System32\AP9H4QMO.INI
C:\WINNT\System32\F7HFI032.INI
C:\WINNT\System32\JCJODD2N.INI
C:\WINNT\System32\Q17I9A4J.INI
C:\WINNT\ZHKHR.DLL
C:\WINNT\system32\xifwts.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.

  • 0

#37
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ran Killbox. This time it had no trouble and it rebooted by itself.

svchost.exe error message box appeared.

Qoologic:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f85ba9

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Instant Wireless Configuration Utility.lnk
Microsoft Office.lnk

User Startup:
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 11:39
Operating System: Windows 2000


HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]
"{6BF52A52-394A-11d3-B153-00C04F79FAA6}\(Default)" = "Microsoft Windows Media Player"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserRemove" [MS]


Findits:

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Sat 05/07/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINNT\TSC.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINNT\System32\4L6J3UM2.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\SYSTEM32

04/02/2005 07:43p <DIR> cache32_rtneg
04/18/2005 03:09p <DIR> cache32_rtneg2
04/20/2005 08:27p <DIR> cache32_rtneg3
04/10/2005 09:22a <DIR> cache32_rtneg4
0 File(s) 0 bytes
4 Dir(s) 14,249,013,248 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 2CFA-4046

Directory of C:\WINNT\system32


»»»»»»»»»»»»»»»»»»»»»»»».

Hijackthis Startup:

StartupList report, 5/7/2005, 11:56:44 AM
StartupList version: 1.52.2
Started from : C:\Internet Downloads\HiJackthis\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Inetd\inetd32.exe
C:\WINNT\System32\Hummingbird\Connectivity\7.00\Jconfig\jconfigdNT.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\ltmsg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Internet Downloads\HiJackthis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
LTWinModem1 = ltmsg.exe 9
AVG7_CC = C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINNT\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[{1D0D9077-3798-49BB-9058-393499174D5D}]
CODEBASE = file://c:\counter.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[OPUCatalog Class]
InProcServer32 = C:\WINNT\System32\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[{6CB5E471-C305-11D3-99A8-000086395495}]
CODEBASE = http://toolbar.googl...n/GoogleNav.cab

[HouseCall Control]
InProcServer32 = C:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai...all/xscan53.cab

[CCMPGui Class]
InProcServer32 = C:\WINNT\System32\ccmp392.dll
CODEBASE = http://64.124.45.181.../proxy/CCMP.cab

[{8EDAD21C-3584-4E66-A8AB-EB0E5584767D}]
CODEBASE = http://toolbar.googl...gleActivate.cab

[Update Class]
InProcServer32 = C:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupd...8444.6929861111

[MSN Photo Upload Tool]
InProcServer32 = C:\WINNT\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://sc.groups.msn...UC/MsnPUpld.cab

[CV3 Class]
InProcServer32 = C:\WINNT\System32\wuv3is.dll
CODEBASE = http://windowsupdate...en/actsetup.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

xifwts = C:\WINNT\system32\xifwts.exe

--------------------------------------------------

End of report, 6,214 bytes
Report generated in 0.281 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Didn't know if you wanted these but thought you would.

thanks

John
  • 0

#38
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
seem to be gtting closer here,*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINNT\System32\4L6J3UM2.EXE
C:\WINNT\system32\xifwts.exe


Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts. If you receive a message and your computer does not restart automatically, please restart it manually.
Please download the Registry Search tool by clicking on the "hard drive" icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for svchost.exe and click OK. Post the logfile from the tool here for me.
  • 0

#39
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Did some non-critical windows updates. all went ok.

Ran sypbot and it found the following:

IE Plugin Data C\WINNT\lu.dat

BookedSpace
Root Class
HKEY_CLASSES_ROOT\BookedSpace.Extension.5

Root Class
HKEY_CLASSES_ROOT\BookedSpace.Extension

Root Class
HKEY_CLASSES_ROOT\ApplD\BookedSpace.DLL

Root Class
HKEY_LOCAL_MACHINE\SOFTWARE\Bookedspace

Root Class
HKEY_CLASS_ROOT\ApplD\{0DC5CD7C-F653-4417-AA43-D457BE3A9622}

Root Class
HKEY_CLASS_ROOT\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622}

ISearchTech.PowerScan

I selected fix them all.
All problems were fixed.

Just got the email that you responded.
  • 0

#40
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
svchost error message as well ?
  • 0

Advertisements


#41
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ran Killbox.
Got that same window:
PendingFileRenameOperations Registry Data has been Removed by External Process!

clicked ok. Computer did not reboot. Rebooted manually.

Ran the registry search program for svchost.exe

Logfile:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "svchost.exe" 5/7/2005 4:08:42 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E9376CC6-121A-447e-81CF-D8BCC200007C}\LocalServer32]
@="C:\\WINNT\\System32\\svchost.exe"


When I look at Processes in the Task Manager, I find 3 instance of svchost.exe running, all with different memory usage.

thanks.

John
  • 0

#42
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Are you still getting the error message ?


Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)
  • 0

#43
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
As of the last reboot I am still getting the svchost.exe error messageon bootup.

Running the Kaspersky Beta Anti-virus program now. It really runs slow so it will take a while to get through. I have the freeAVG installed and it did not find anything. I have run Housecall from trendmicro during the last week. So far we have 5 viruses, 5 objects and 1 suspicious. We are 20%done. I guess no one program detects all malware, spyware or viruses. I'll post the results as soon as it's done.

Thanks.

John
  • 0

#44
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK John let it run and post back when done please
  • 0

#45
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
It took 16,543 seconds but it is finally finished.

It found these files:

C:\Documents&Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Trojan-Spy.HTML.Bankfraud.dg

C:\Documents&Settings\Administrator\Local Settings\Temp\cxtpls_loader.exe
Trojan-Downloader.Win32.Apropo.ab

C:\Documents&Settings\Administrator\Local Settings\Temp\fca01Vf.exe
Trojan-Downloader.Win32.IstBar.ir

C:\Documents&Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\581NT75X\135(1).bin
Trojan-Downloader.Win32.VB.eu

C:\Documents&Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q7PBKQDH\istdownload(1).exe
Trojan-Downloader.Win32.IstBar.ir

C:\Documents&Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy3.zip
Password-protected-EXE

C:\WINNT\System32\Cache\cstpls_loader.exe
Trojan-Downloader.Win32.Apropo.ab

C:\WINNT\System32\Cache\dist006.exe
Trojan-Downloader.Win32.VB.eu

I deleted all of the files except for the .pst file. That's the outlook mail file
so I don't want to lose all the messages that are saved in there. I hope we can clean the file somehow.

I have not rebooted yet. Should I try something else on the .pst file?

Thanks.

John
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP