Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

7+ trojans! Gen Kriptik, SVCHost.exe, Malex.gen!E, etc.


  • Please log in to reply

#16
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Ron,


I have to go out of town to mind my gr-son because of the school strike here. I'll be back Saturday night or Sunday .

B
  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
You can do Tools, Add-ons and find the Bitdefender entry and uninstall or disable it.

Dell Support 5.0.0 (630) is an entry in your add/remove programs so you can just uninstall it. Probably a new one available at Dell if you think you need it.

Ron
  • 0

#18
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello Ron,

I'm home. I've uninstalled bitdefender and the Dell Support tool and I'm ready to carry on. I hope you are having a lovely weekend.

Barbara
  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
Does it seem to be running OK again now that you have uninstalled the dell program and killed off the bitdefender add-on?

Ron
  • 0

#20
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Ron,

Yes, it's working really well.


B
  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
Good. I think we're done except for some housekeeping.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f


You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

XP

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 18.1 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.5.
http://download.cnet...4-10752777.html
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on. WOT (Web of Trust) is another you might want to try.

If Firefox is slow loading make sure it only has the current Java add-on. Then download and run Speedy Fox.
http://www.crystalidea.com/speedyfox. It seems to work best if you reboot right after running it. You can run it any time that Firefox seems slow.

Be warned: If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum. If you must use P2P then submit any files you get to http://virustotal.com before you open them.

If you install the MVP Hosts file:
http://www.mvps.org/...p2002/hosts.htm
it will keep you from going to most bad sites. You do not need Spybot's Immunize which does the same thing.

If you have a router, log on to it today and change the default password!

Ron
  • 0

#22
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Good morning Ron,

Thanks for your reply.

Well, I thought all was well. Unfortunately, this sly little devil has thrown a curve ball. When I tried to boot my computer up this morning the system password (before you get to WinXP) did not work and I had to pull the password jumper pin off. THEN I discovered that the administrator account password did not work either. Luckily I have a non-administrator account--also password protected, that I could get into. How in [bleep] did it DO that?

Update: Trend Micro found nothing Kaspersky is unavailable right now. .I tried to do a Panda scan but can't get the activeX control on IE--no yellow bar to allow it and Firefox won't download the dlls. sigh...

Update: I remembered that windows has an administrator account in safe mode so I went into that and restored to a point before the password change occurred and got my administrative account back but Panda Online Scan still won't update the activeX controls on IE but firefox finally worked after I poked it a couple of times. :D When it finisehes scanning I will post the report. So far at 34% it says there are 8 vulnerabilities and 22 infected files.

Barbara

Edited by BLewellyn, 20 February 2011 - 07:45 AM.

  • 0

#23
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello again Ron,

Whew! What a stinker this one is! I got the scan 42% completed after TWO hours and while I was checking on the progress moved the cursor on the page and it canceled the scan! So I started all over...

here is the report:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2011-02-20 11:09:52
PROTECTIONS: 1
MALWARE: 22
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! Antivirus 5.0.83952505 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00162900 Cookie/MediaTickets TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00167430 Cookie/myaffiliateprogram TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00168070 Cookie/SpywareStormer TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00199981 Cookie/Seeq TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00199982 Cookie/Buydomains TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No c:\documents and settings\kerryn\cookies\[email protected][1].txt
00530924 Trj/Autoit.AJ Virus/Trojan No 1 Yes No c:\program files\2wire\sst\closeall.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
224952 HIGH MS10-098
224931 HIGH MS10-090
223906 HIGH MS10-073
223904 HIGH MS10-071
222626 HIGH MS10-053
222621 HIGH MS10-048
222620 HIGH MS10-047
222470 HIGH MS10-046
;===================================================================================================================================================================================
  • 0

#24
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
Looks like nothing but a bunch of harmless cookies and one probable false positive (closeall.exe). You can submit the file to http://virustotal.com and see what they say but I think it's OK. The vulnerabilities are because you are way behind in microsoft updates and it would be very easy to get reinfected which may be what happened. You are only running SP2. Some AMD processors need a special additional program before they can go to SP3 so if you have an AMD CPU then you will need to check with your PC maker's website before trying to update. Who makes your PC and what model is it?

Get SIW

http://www.snapfiles.com/get/siw.html

Run it and under Hardware it should tell you about your CPU.

Ron
  • 0

#25
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hi Ron,

Thanks for your reply.

My PC is a Dell Dimension 3000. It is a Pentium 4 not an AMD. I finished getting all the updates to Windows last night. According to a scan by Microsoft at their update site, all updates have been made.

I found the closeall.exe file in a program I have been trying to remove through the control panel. It is part of a group of SBC Yahoo! Home Networking Installer programs for the 2wire DSL router that is no longer necessary according to SBC since the DSL connection is automatically detected. I didn't know that and tried to use the Install disk when I first fired up the PC. I ask the add/remove program to remove it and get no response.

I sent the file to virustotal.com as you suggested and had it reanalyzed. This is the result:


File name:
closeAll.exe
Submission date:
2011-02-20 23:48:52 (UTC)
Current status:
queued queued analysing finished
Result:
5/ 41 (12.2%)

VT Community

not reviewed
Safety score: -
Compact
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.02.14.02 2011.02.14 -
AntiVir 7.11.3.165 2011.02.20 TR/Autoit.BR
Antiy-AVL 2.0.3.7 2011.02.19 -
Avast 4.8.1351.0 2011.02.20 -
Avast5 5.0.677.0 2011.02.20 -
AVG 10.0.0.1190 2011.02.20 -
BitDefender 7.2 2011.02.21 -
CAT-QuickHeal 11.00 2011.02.20 Trojan.Agent.ATV
ClamAV 0.96.4.0 2011.02.20 -
Commtouch 5.2.11.5 2011.02.20 -
Comodo 7753 2011.02.20 -
DrWeb 5.0.2.03300 2011.02.21 -
eSafe 7.0.17.0 2011.02.17 -
eTrust-Vet 36.1.8170 2011.02.18 -
F-Prot 4.6.2.117 2011.02.20 -
F-Secure 9.0.16160.0 2011.02.20 -
Fortinet 4.2.254.0 2011.02.20 -
GData 21 2011.02.21 -
Ikarus T3.1.1.97.0 2011.02.20 -
Jiangmin 13.0.900 2011.02.20 -
K7AntiVirus 9.87.3906 2011.02.19 -
McAfee 5.400.0.1158 2011.02.21 -
McAfee-GW-Edition 2010.1C 2011.02.20 -
Microsoft 1.6502 2011.02.20 -
NOD32 5891 2011.02.20 -
Norman 6.07.03 2011.02.20 -
nProtect 2011-02-10.01 2011.02.15 -
Panda 10.0.3.5 2011.02.20 Trj/Autoit.AJ
PCTools 7.0.3.5 2011.02.20 -
Prevx 3.0 2011.02.21 -
Rising 23.45.04.06 2011.02.18 -
Sophos 4.61.0 2011.02.20 -
SUPERAntiSpyware 4.40.0.1006 2011.02.21 -
Symantec 20101.3.0.103 2011.02.20 -
TheHacker 6.7.0.1.134 2011.02.20 Trojan/Agent.lf
TrendMicro 9.200.0.1012 2011.02.20 -
TrendMicro-HouseCall 9.200.0.1012 2011.02.15 -
VBA32 3.12.14.3 2011.02.18 -
VIPRE 8487 2011.02.20 -
ViRobot 2011.2.19.4319 2011.02.20 Trojan.Win32.Autoit.95736
VirusBuster 13.6.210.1 2011.02.20 -
Additional information
Show all
MD5 : cda58701492e0395bfb17a81b8d36040
SHA1 : b04344517964bedd4c16b0b389f828091f2b3b1a
SHA256: 61ee0b86325719dd62b6aabdb1eb15c4d4c76d27e82142935068eabfc44b6773
ssdeep: 768:BZOkcLwynvk0RqXTCISOAqumPYwKIMVa2Jk:pg3vk0kXLgMKIa7Jk
File size : 43185 bytes
First seen: 2006-06-05 00:26:30
Last seen : 2011-02-20 23:48:52
TrID:
UPX compressed Win32 Executable (39.5%)
Win32 EXE Yoda's Crypter (34.3%)
Win32 Executable Generic (11.0%)
Win32 Dynamic Link Library (generic) (9.8%)
Generic Win/DOS Executable (2.5%)
sigcheck:
publisher....: n/a
copyright....: n/a
product......: Compiled AutoIt Script
description..: Compiled AutoIt Script
original name: n/a
internal name: n/a
file version.: 2, 64, 0, 0
comments.....: Third-party compiled AutoIt script. For details visit http://www.hiddensoft.com/AutoIt/
signers......: -
signing date.: -
verified.....: Unsigned
PEiD: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
packers (F-Prot): UPX
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0x48B30
timedatestamp....: 0x3E00C9CA (Wed Dec 18 19:17:30 2002)
machinetype......: 0x14c (I386)

[[ 3 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
UPX0, 0x1000, 0x3F000, 0x0, 0.00, d41d8cd98f00b204e9800998ecf8427e
UPX1, 0x40000, 0x9000, 0x8E00, 7.88, 804e3e6f0857bd94c28fb9701dd53cfe
.rsrc, 0x49000, 0x2000, 0x1400, 3.36, 34885b13bf5439c8135e7c8eaab09eea

[[ 6 import(s) ]]
KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
ADVAPI32.dll: RegCloseKey
comdlg32.dll: GetOpenFileNameA
GDI32.dll: GetStockObject
SHELL32.dll: Shell_NotifyIconA
USER32.dll: IsIconic
ExifTool:
file metadata
CharacterSet: Unicode
CodeSize: 36864
Comments: Third-party compiled AutoIt script. For details visit http://www.hiddensoft.com/AutoIt/
EntryPoint: 0x48b30
FileDescription: Compiled AutoIt Script
FileFlagsMask: 0x003f
FileOS: Windows NT 32-bit
FileSize: 42 kB
FileSubtype: 0
FileType: Win32 EXE
FileVersion: 2, 64, 0, 0
FileVersionNumber: 2.64.0.0
ImageVersion: 0.0
InitializedDataSize: 8192
LanguageCode: English (British)
LinkerVersion: 7.0
MIMEType: application/octet-stream
MachineType: Intel 386 or later, and compatibles
OSVersion: 4.0
ObjectFileType: Executable application
PEType: PE32
ProductName: Compiled AutoIt Script
ProductVersion: 2, 64, 0, 0
ProductVersionNumber: 2.64.0.0
Subsystem: Windows GUI
SubsystemVersion: 4.0
TimeStamp: 2002:12:18 20:17:30+01:00
UninitializedDataSize: 258048


I'm not savvy enough about these things to know what to think about that but I don't need this program on my PC so it seems to me that the most expedient thing to do is get rid of it and all the programs associated with it.

In the meanwhile back at the ranch, I had to go out for awhile this afternoon so I shut my PC down. When I turned it back on, once again, the password for the administrator account did not work. Neither did the password for the non administrator account. sigh... I restored the OS back to last night.

I've used this password for at least 3 years on my other PC. I used the same password for the system and both accounts. It's a semi-complicated password but I have muscle memory for typing it in and don't even have to think about it anymore. I didn't forget what it was. I retyped it 4 times in each case. I've removed the passwords for the present.

Another thing that is happening is that when I try to turn the PC on it will act as if it is starting up but then it dies and I may have to press the start button 2 or 3 times, holding it down for a few seconds before it actually fires up.

Now what?

Barbara
  • 0

Advertisements


#26
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
You might want to also uninstall SuperAntiSpyware in case it is getting in the way.

We can remove SBC Yahoo! DSL Home Networking Installer with OTL.

Copy the text in the code box by highlighting and Ctrl + c

:OTL
O4 - Startup: C:\Documents and Settings\kerryn\Start Menu\Programs\Startup\2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe ()

:Files
C:\Documents and Settings\kerryn\Start Menu\Programs\Startup\2WireSetup.lnk
C:\Program Files\2Wire
     
:Commands
[emptytemp]
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply.

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks



Ron
  • 0

#27
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Good morning Ron,

You might want to also uninstall SuperAntiSpyware in case it is getting in the way.

We can remove SBC Yahoo! DSL Home Networking Installer with OTL.

I have completed those tasks.

If you get a lot of "red entries" in an IceSword log, don't panic.

I didn't panic but when I was working on the SSDT file my eyes began to cross. :D



Process:

no red processes

System Idle Process
System
C:\WINDOWS\SYSTEM32\LEXBCES.EXE
C:\WINDOWS\SYSTEM32\spoolsv.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\SYSTEM32\LEXPPS.EXE
C:\PROGRA~1\McAfee\SITEAD~1\McSACore.exe
C:\WINDOWS\SYSTEM32\smss.exe
C:\WINDOWS\SYSTEM32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\SYSTEM32\services.exe
C:\WINDOWS\SYSTEM32\lsass.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\WINDOWS\SYSTEM32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\alg.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\kerryn\Desktop\IceSword.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\SYSTEM32\hkcmd.exe
C:\WINDOWS\SYSTEM32\igfxpers.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Autorun Eater\oldmcdonald.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\WINDOWS\SYSTEM32\ctfmon.exe
C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Autorun Eater\billy.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe

Win32 Services

no red services
Started Service:

Service Name:ALG Display Name:Application Layer Gateway Service
Service Name:AudioSrv Display Name:Windows Audio
Service Name:avast! Antivirus Display Name:avast! Antivirus
Service Name:Browser Display Name:Computer Browser
Service Name:cmdAgent Display Name:COMODO Internet Security Helper Service
Service Name:CryptSvc Display Name:CryptSvc
Service Name:DcomLaunch Display Name:DCOM Server Process Launcher
Service Name:Dhcp Display Name:DHCP Client
Service Name:Dnscache Display Name:DNS Client
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Event Log
Service Name:EventSystem Display Name:COM+ Event System
Service Name:FastUserSwitchingCompatibility Display Name:Fast User Switching Compatibility
Service Name:helpsvc Display Name:Help and Support
Service Name:HidServ Display Name:HID Input Service
Service Name:JavaQuickStarterService Display Name:Java Quick Starter
Service Name:lanmanserver Display Name:Server
Service Name:lanmanworkstation Display Name:Workstation
Service Name:LexBceS Display Name:LexBce Server
Service Name:LmHosts Display Name:TCP/IP NetBIOS Helper
Service Name:McAfee SiteAdvisor Service Display Name:McAfee SiteAdvisor Service
Service Name:Netman Display Name:Network Connections
Service Name:Nla Display Name:Network Location Awareness (NLA)
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:IPSEC Services
Service Name:ProtectedStorage Display Name:Protected Storage
Service Name:RasMan Display Name:Remote Access Connection Manager
Service Name:RpcSs Display Name:Remote Procedure Call (RPC)
Service Name:SamSs Display Name:Security Accounts Manager
Service Name:Schedule Display Name:Task Scheduler
Service Name:seclogon Display Name:Secondary Logon
Service Name:SENS Display Name:System Event Notification
Service Name:SharedAccess Display Name:Windows Firewall/Internet Connection Sharing (ICS)
Service Name:ShellHWDetection Display Name:Shell Hardware Detection
Service Name:Spooler Display Name:Print Spooler
Service Name:srservice Display Name:System Restore Service
Service Name:stisvc Display Name:Windows Image Acquisition (WIA)
Service Name:TapiSrv Display Name:Telephony
Service Name:TermService Display Name:Terminal Services
Service Name:Themes Display Name:Themes
Service Name:TrkWks Display Name:Distributed Link Tracking Client
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:w32time Display Name:Windows Time
Service Name:WebClient Display Name:WebClient
Service Name:winmgmt Display Name:Windows Management Instrumentation
Service Name:wscsvc Display Name:Security Center
Service Name:wuauserv Display Name:Automatic Updates
Service Name:WZCSVC Display Name:Wireless Zero Configuration
Service Name:YahooAUService Display Name:Yahoo! Updater


Startup:

no red entries

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMAXPnP
C:\Program Files\Analog Devices\Core\smax4pnp.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IntelMeM
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
mmtask
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Lexmark X1100 Series
"C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxtray
C:\WINDOWS\system32\igfxtray.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxhkcmd
C:\WINDOWS\system32\hkcmd.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxpers
C:\WINDOWS\system32\igfxpers.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
QuickTime Task
"C:\Program Files\QuickTime\qttask.exe" -atboottime


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
COMODO Internet Security
"C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Autorun Eater
C:\Program Files\Autorun Eater\oldmcdonald.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
avast5
"C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
DellSupport
"C:\Program Files\Dell Support\DSAgnt.exe" /startup


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
OpenDNS Updater
"C:\Program Files\OpenDNS Updater\OpenDNSUpdater.exe" /autostart


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
DESKTOP.INI

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
McAfee Security Scan Plus.lnk
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe (Remark£º)


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
NkbMonitor.exe.lnk
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe (Remark£º)


C:\Documents and Settings\kerryn\Start Menu\Programs\Startup
DESKTOP.INI



SSDT

I wasn't sure what you wanted here, the column labeled KModule, the column labeled name or both so you are getting both. :D I'm using the entry number to keep track of mself. Unless otherwise noted the Kmodule column entries given first began \System Root\System32\.

0xB DRIVERS\cmdguard.sys Nt AdjustPrivelegesToken
0x11 Drivers\aswSP.SYS (no name)
0x19 Drivers\aswSP.SYS (no name)
0x1F DRIVERS\cmdguard.sys NtConnectPort
0x25 DRIVERS\cmdguard.sys (no name)
0x29 Drivers\aswSP .SYS NtCreateKey
0x2E Drivers\cmdguard.sys NtCreatePort
0x32 DRIVERS\cmdguard.sys NtCreateSection
0x34 DRIVERS\cmdguard.sys NtCreateSymbolicLineObject
0x35 DRIVERS\cmdguard.sys NtCreateThread
0x3F Drivers\aswSP.SYS NtDeleteKey
0x41 Drivers\aswSP.SYS Nt ValueKey
0x44 Drivers\aswSP.SYS NtDuplicateObject
0x47 DRIVERS\cmdguard.sys NtEnumerateKey
0x49 DRIVERS\cmdguard.sys NtEnumerateValueKey
0x53 Drivers\aswSP.sys (no name)
0x61 DRIVERS\cmdguard.sys (no name)
0x69 DRIVERS\cmdguard.sys NtMakeTemporaryObject
0x74 DRIVERS\cmdguard.sys (no name)
0x77 Drivers\aswSP.SYS NtOpenKey
0x7A Drivers\aswSP.sys NtOpenprocess
0x7D DRIVERS\cmdguard.sys NtOpenSection
0x80 Drivers\aswSP.SYS NtOpenThread
0x89 Drivers\aswSP.SYS (no name)
0xAD DRIVERS\cmdguard.sys NtQueryKey
0xA1 DRIVERS\cmdguard.sys NtQueryMultipleValueKey
0x81 Drivers\aswSP.SYS NtQueryValueKey
0xCD Drivers\aswSP.SYS NtRenameKey
0xc8 DRIVERS\cmdguard.sys NtWaitReplyOff
0xCC Drivers\aswSP.SYS NtRestoreKey
0xD2 DRIVERS\cmdguard.sys NtSecureConnectPort
0xED DRIVERS\cmdguard.sys NtSecurityObject
0xF0 DRIVERS\cmdguard.sys NtSystemInformation
0xF7 Drivers\aswSP.SYS NtSetValueKey
0xF9 DRIVERS\cmdguard.sys NtShutDownSystem
0xFF DRIVERS\cmdguard.sys NtSystemDebugControl
0x101 \??\ProgramFiles\SuperAntiSpyware\SASKutil.sys
0x102 DRIVERS\cmdguard.sys

Message Hooks

C:\:ProgramFiles\Autorun Eater\oldmcdonald.exe
C:\WINDOWS\System32\ctfnon.exe
C:\ProgramFiles\Real\RealPlayer\realplay.exe
C:\ProgramFiles\OpenDNSUpdater\OpenDNSUpdater.exe
C:\ProgramFiles\Autorun Eater\billy.exe
C:\ProgramFiles\Nikon\PictureProject\NKbMonitor.exe
C:\WINDOWS\explorer.exe
C:WINDOWS\explorer.exe
C:WINDOWS\explorer.exe


[/quote]

OK, now I have a massive headache and I guess I need to get my eyews checked.

I have recently received the following alerts:

AutoIt error Line 10
Runwait, C:\\windows\\System32\\cmd.exe\C//bin\\Killwindow2.exe,,Hide

AvastSvc.exe is recognized but Sf.bin is not

MCAfee Site Advisor default settings have changed

mmtask.exe-mmVcp70.dll not found
Barbara

Edited by BLewellyn, 21 February 2011 - 09:18 AM.

  • 0

#28
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
Sorry about the IceSword writeup. I used the canned one from GeeksToGo this time. I have an older version I wrote myself and it tells you that I just need one instance of each unique path that appears in SSDT, not every instance. That would have cut down the typing a lot. What we are seeing in red is just Avast and Comodo and SuperAntiSpyware so I'm afraid it was all for nothing.

The errors you are seeing are from the "2 wire" program. AutoIT is a program that can automate PC configuration and the virustotal report said closeAll.exe was a compliled AutoIT file.
http://www.autoitscr...om/site/autoit/

IF OTL can't remove it you should be able to manually delete the folder in c:\Program Files called
C:\Program Files\2Wire
and also the shortcut in
C:\Documents and Settings\kerryn\Start Menu\Programs\Startup\
called 2WireSetup.lnk

Ron
  • 0

#29
BLewellyn

BLewellyn

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Hello again Ron,

That would have cut down the typing a lot. What we are seeing in red is just Avast and Comodo and SuperAntiSpyware so I'm afraid it was all for nothing.

:D I wondered about that. Oh well... We got information and that's what we needed so it's not all for nothing IMO.

IF OTL can't remove it you should be able to manually delete the folder

The 2Wire folder was a zip file. I think I might have created it when I was futzing around trying to figure out how to submit the files to virustotal. :D I didn't find an Icon in Documents and Settings.

I have to go out for awhile so it will be awhile before I can put this through the paces. I'm going to put a password on the Kerryn/administrator account and shut it down to see what happens. BTW there are 2 other administrator folders in C. One is just administrator and the other is administrator000. Is that normal?

B

B
  • 0

#30
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,363 posts
  • MVP
Having two Administrator folders isn't normal but it just means that this version of windows recognizes two different users with essentially the same name. Possibly you created an account named Administrator when there was already the builtin administrator account that you can only get to through safe mode and the 00 is Windows way of telling them apart.

If you Start, Run, cmd, OK it should bring up a command window. Type:
cd  "\documents and Settings" 

(the prompt will change to show you are now in C:\Documents  and  Settings)

dir  /a  >>  \junk.txt

cd  "\documents and Settings\kerryn\Start Menu\Programs\Startup"

(the prompt should show you are in C:\Documents  and  Settings\kerryn\Start  Menu\Programs\Startup)

dir  /a  >>  \junk.tx

notepad  \junk.txt

(I use 2 spaces in the code box so you can be sure to see where 1 space goes.)
Copy and paste the text from notepad into a reply.

Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP