Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected by trojan-spy.html.smitfraud.c


  • This topic is locked This topic is locked

#16
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here is the mwav scan, my system is running extremely slow today


File C:\WINDOWS\System32\jc2sg6kcoc97.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wf8txfhv0p2.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\orcj7234c93ppk.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\9knmn4onkilyo.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\9knmn4onkilyo.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\itshta.exe infected by "Trojan.Win32.Small.cr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\5lh92imthi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6lvgg5ggte.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\7xfxl7urp8.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\byb426c1ngjy.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dllu3fgjjz8b.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\jc2sg6kcoc97.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lh6x2ebw8jb.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\orcj7234c93ppk.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wf8txfhv0p2.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wk4me22ukoi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\y4k23wvv3122f.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\3534593.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\3534593.tmp infected by "Trojan.Win32.Krepper.aj" Virus. Action Taken: No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\itshta.exe infected by "Trojan.Win32.Small.cr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\4wro6sz3dznh.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\5lh92imthi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\6lvgg5ggte.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\7xfxl7urp8.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\byb426c1ngjy.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dllu3fgjjz8b.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\jc2sg6kcoc97.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lh6x2ebw8jb.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\orcj7234c93ppk.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\tp8z1vw9hjr66.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\v4lri1d4s33.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wf8txfhv0p2.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wk4me22ukoi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\y4k23wvv3122f.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.

at May 14 10:58:00 2005 => ***** Checking for specific ITW Viruses *****
Sat May 14 10:58:01 2005 => Checking for Welchia Virus...
Sat May 14 10:58:01 2005 => Checking for LovGate Virus...
Sat May 14 10:58:01 2005 => Checking for CodeRed Virus...
Sat May 14 10:58:02 2005 => Checking for OpaServ Virus...
Sat May 14 10:58:02 2005 => Checking for Sobig.e Virus...
Sat May 14 10:58:02 2005 => Checking for Winupie Virus...
Sat May 14 10:58:02 2005 => Checking for Swen Virus...
Sat May 14 10:58:02 2005 => Checking for JS.Fortnight Virus...
Sat May 14 10:58:02 2005 => Checking for Novarg Virus...
Sat May 14 10:58:02 2005 => Checking for Pagabot Virus...
Sat May 14 10:58:02 2005 => Checking for Parite.b Virus...
Sat May 14 10:58:02 2005 => Checking for Parite.a Virus...
Sat May 14 10:58:02 2005 => Checking for Adware.SeekSeek Virus...

Sat May 14 10:58:02 2005 => ***** Scanning complete. *****
Sat May 14 10:58:03 2005 => Total Objects Scanned: 232952
Sat May 14 10:58:03 2005 => Total Virus(es) Found: 37
Sat May 14 10:58:03 2005 => Total Disinfected Files: 0
Sat May 14 10:58:03 2005 => Total Files Renamed: 0
Sat May 14 10:58:03 2005 => Total Deleted Objects: 0
Sat May 14 10:58:03 2005 => Total Errors: 46
Sat May 14 10:58:03 2005 => Time Elapsed: 12:29:56
Sat May 14 10:58:03 2005 => Virus Database Date: 2005/05/12
Sat May 14 10:58:03 2005 => Virus Database Count: 129400

Sat May 14 10:58:03 2005 => Scan Completed.
  • 0

Advertisements


#17
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Start Killbox and click on Tools->Delete Temp Files. When that finishes, select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\itshta.exe

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

C:\WINDOWS\system32\4wro6sz3dznh.dll

When it prompts you to reboot this time, press the NO button again and repeat the sequence for the following:

C:\WINDOWS\System32\5lh92imthi.dll
C:\WINDOWS\system32\6lvgg5ggte.dll
C:\WINDOWS\system32\7xfxl7urp8.dll
C:\WINDOWS\system32\9knmn4onkilyo.dll
C:\WINDOWS\System32\byb426c1ngjy.dll
C:\WINDOWS\system32\dllu3fgjjz8b.dll
C:\WINDOWS\system32\jc2sg6kcoc97.dll
C:\WINDOWS\system32\lh6x2ebw8jb.dll
C:\WINDOWS\System32\orcj7234c93ppk.dll
C:\WINDOWS\system32\tp8z1vw9hjr66.dll
C:\WINDOWS\system32\v4lri1d4s33.dll
C:\WINDOWS\System32\wf8txfhv0p2.dll
C:\WINDOWS\system32\wk4me22ukoi.dll
C:\WINDOWS\system32\y4k23wvv3122f.dll

It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes. Reboot if it doesn't do so automatically.

Post a new mwav scan and HJT log in your next reply.
  • 0

#18
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
here is the HJT log. It will take a long time to do the mwav scan and I am leaving out of town until tomorrow afternoon. I am letting it run so when i get back i can post that for you.

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:01:39 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\e6b7d12449da7f5e501f865d71be49c7\update\update.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31260
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31260
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O20 - AppInit_DLLs: dpucjimljmvlv.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#19
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, with only HJT running, have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=31260
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=31260
O20 - AppInit_DLLs: dpucjimljmvlv.dll


Reboot and post a new HJT log with your mwav scan.
  • 0

#20
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
the MWAV scan is first. Bottom window first and topn window second. The HJT file scan is last. While Mwav was running AVG open and started to scan, i do not know if that cause any problems or not. I have taken it of of the scheduled scan so it want interrupt any more.

thanks
Wally

Bottom Window
File C:\WINDOWS\System32\zu3yd8truybuc9.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wf8txfhv0p2.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\fyh1sjpmkv.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\itshta.exe infected by "Trojan.Win32.Small.cr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\4wro6sz3dznh.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\5b8y2umv5ok.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\5lh92imthi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\6lvgg5ggte.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\7xfxl7urp8.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\beilyvf367ut9.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\byb426c1ngjy.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dllu3fgjjz8b.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lh6x2ebw8jb.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\m7ey64h2rmhjv.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tp8z1vw9hjr66.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\v4lri1d4s33.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\vlwffcbyutuxh.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wf8txfhv0p2.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.


Top Window
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.0.0_x-ww_2726e76a\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.CPlusPlusRuntime_6595b64144ccf1df_7.0.10.0_x-ww_d8862ba3\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:43 2005 => Scanning Folder: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\*.*
Tue May 17 00:36:43 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff
Tue May 17 00:36:44 2005 => ERROR!!! MS_ScanAndClean return ffffffff

Tue May 17 00:36:44 2005 => ***** Checking for specific ITW Viruses *****

Tue May 17 00:36:45 2005 => ***** Scanning complete. *****
Tue May 17 00:36:45 2005 => default: 337786
Tue May 17 00:36:45 2005 => default: 20
Tue May 17 00:36:45 2005 => default: 0
Tue May 17 00:36:45 2005 => default: 0
Tue May 17 00:36:45 2005 => default: 0
Tue May 17 00:36:45 2005 => default: 259600
Tue May 17 00:36:45 2005 => &Cancel: 08:16:54
Tue May 17 00:36:45 2005 => ERROR!!! Unable to get Database Info.. return 8004025d

Tue May 17 00:36:45 2005 => Scan Completed


HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:16:21 AM, on 5/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Works\wkswp.exe
c:\Program Files\Microsoft Works\MSWorks.exe
c:\Program Files\Microsoft Works\wkgdcach.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O20 - AppInit_DLLs: 2dnsd98l2w.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#21
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmmm... there's a lot of the random files that should have gone still in there. Let's try a different approach. Start Killbox, select the Replace on Reboot option and put a checkmark in Use dummy.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\system32\2dnsd98l2w.dll

Let the computer reboot and go into Safe Mode (tap F8 ater the BIOS has loaded). Run HijackThis. Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=31260
O20 - AppInit_DLLs: 2dnsd98l2w.dll


Reboot back to Normal Mode, start Killbox again and select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\itshta.exe

It will prompt you to reboot, press the NO button. Instead, copy and paste the following and click the 'Delete File' button again:

C:\WINDOWS\System32\4wro6sz3dznh.dll

When it prompts you to reboot this time, press the NO button again and repeat the sequence for the following:

C:\WINDOWS\System32\5b8y2umv5ok.dll
C:\WINDOWS\System32\5lh92imthi.dll
C:\WINDOWS\System32\6lvgg5ggte.dll
C:\WINDOWS\System32\7xfxl7urp8.dll
C:\WINDOWS\System32\beilyvf367ut9.dll
C:\WINDOWS\System32\byb426c1ngjy.dll
C:\WINDOWS\System32\dllu3fgjjz8b.dll
C:\WINDOWS\system32\fyh1sjpmkv.dll
C:\WINDOWS\System32\lh6x2ebw8jb.dll
C:\WINDOWS\System32\m7ey64h2rmhjv.dll
C:\WINDOWS\System32\tp8z1vw9hjr66.dll
C:\WINDOWS\System32\v4lri1d4s33.dll
C:\WINDOWS\System32\vlwffcbyutuxh.dll
C:\WINDOWS\System32\wf8txfhv0p2.dll
C:\WINDOWS\System32\wf8txfhv0p2.dll
C:\WINDOWS\System32\zu3yd8truybuc9.dll

It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes. Reboot if it doesn't do so automatically.

Post a new mwav scan and HJT log in your next reply.
  • 0

#22
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
ok well i seem to have my IE back. It has not redirected it to that crazy place anymore today after the last fix. still infected though. scans below.

thanks

Wally


Logfile of HijackThis v1.99.1
Scan saved at 10:48:57 PM, on 5/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {5AA5A569-F96F-4628-A528-8B3698F558BB} (HS_live Control) - http://install.homes...ive/HS_live.cab
O20 - AppInit_DLLs: ht8tiz1zfr4tdz.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


MWAV next

File C:\WINDOWS\system32\lf66uofj9cdk9.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lf66uofj9cdk9.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147395.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147396.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147397.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147398.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP11\A0147399.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP4\A0052604.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP5\A0079464.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0123500.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0134287.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0134903.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0137012.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146719.exe infected by "Trojan.Win32.Small.cr" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146735.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146742.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146751.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146759.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146767.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146775.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146788.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146809.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146822.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146834.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146842.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146866.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146877.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{6140D920-5605-41B7-91F9-A11B337AB566}\RP8\A0146916.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\9r8pki96turdv4.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ht8tiz1zfr4tdz.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\izsp2txezl8.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lxzls142b5z.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\n14ibbcnfhg65g.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vlwffcbyutuxh.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wk4me22ukoi.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xxfn45e75n.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\y4k23wvv3122f.dll infected by "Trojan.Win32.Krepper.ae" Virus. Action Taken: No Action Taken.


Thu May 19 22:46:32 2005 => ***** Scanning complete. *****
Thu May 19 22:46:32 2005 => Total Objects Scanned: 281994
Thu May 19 22:46:32 2005 => Total Virus(es) Found: 39
Thu May 19 22:46:32 2005 => Total Disinfected Files: 0
Thu May 19 22:46:32 2005 => Total Files Renamed: 0
Thu May 19 22:46:32 2005 => Total Deleted Objects: 0
Thu May 19 22:46:32 2005 => Total Errors: 3
Thu May 19 22:46:32 2005 => Time Elapsed: 07:30:45
Thu May 19 22:46:32 2005 => Virus Database Date: 2005/05/12
Thu May 19 22:46:32 2005 => Virus Database Count: 129400
  • 0

#23
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I went ahead and did the same procedure you asked me to do last time with Kill Box. I selected kill on reboot and killed every file in the last scan that had a virus attached to it. I Rebooted and so far no virus message has appeard and the computer seems to be running faster. I am afraid to move for fear I will wake them up!! does this mean we may be fixed. I did downlaod service pack 2 thursday and have downloaded several updates it asked for.

Wally
  • 0

#24
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Apologies, I missed you last reply. Anyway you did the right thing. The main infector file is the one that keeps showing up in different guises as the O20 entry in your HJT log. Let's make sure we nail it so there's no chance of the hijack coming back.

Start Killbox, select the Replace on Reboot option and put a checkmark in Use dummy.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:

C:\WINDOWS\system32\ht8tiz1zfr4tdz.dll

Let the computer reboot and go into Safe Mode (tap F8 ater the BIOS has loaded). Run HijackThis. Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O20 - AppInit_DLLs: ht8tiz1zfr4tdz.dll

Reboot back to Normal Mode and post a new HJT log.
  • 0

#25
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
the 020 app file you are talking about is always different each time i scan with HJT. Is it changing so it is harder to find? should delet any 020 app file name it comes up with?
  • 0

Advertisements


#26
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Yes, repeat my last post but use the filename that is currently showing in your HJT log for the O20 - it morphs to protect itself.
  • 0

#27
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I ran HJT and then applied the fix to that 020 file and an error message came up. It is posted below.



An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: 93fw93heoo18v.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
  • 0

#28
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
havn't heard from you in a couple of days, did you see the last post, my computer is running so much better. I am almost afraid to reboot anymore untile i can kill that one file but it will not let me. this is the message i get when i try to fix it as instructed in HJT.

I ran HJT and then applied the fix to that 020 file and an error message came up. It is posted below.



An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: 93fw93heoo18v.dll)
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
  • 0

#29
Daemon

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Hmm... this is odd. Talk me through the exact sequence you are following. i.e. >

Run HJT to establish filename.
Use Killbox to remove it and reboot to Safe Mode.
Use HJT again - has the O20 name changed again at this point or is it still the same as the one you killboxed?
When trying to fix with HJT, that's when you get the error?
Boot back to Normal Mode, O20 is still there, has the name changed again?
  • 0

#30
Wallace Bishop

Wallace Bishop

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
the sequence is exactly as you describe. this morning the file is
O20 - AppInit_DLLs: u3s9wwh8p1m.dll
again i get the same error message from HJT.

Wally
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP