Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora/Malware/ABI Infection [CLOSED]


  • This topic is locked This topic is locked

#16
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, just got help from thatman (one of our Moderators/Staff here).

I want you to go to this folder c:\Windows\system32 and see if you can find any ICO files. Best way to do this is change your view to Detail View and then sort it by file type. Look for ICO files (there should be two).

Now while still in the system32 folder, double click on drwatson.exe to run it. "In the bottom tray bar on your screen you will see drwatson click on that icon this will give a error message copy the information down and post this back to me."

Now double click on drwtsn32.exe and again copy the information and post this also
  • 0

Advertisements


#17
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
There is definitely only one ICO file in c:\Windows\system32 which is "OemLinkIcon.ico"
After clicking on drwatson.exe i got the message "no faults detected" - when I did the same with drwtsn32.exe it gave me no error messages but it did pop up with a property-type box that had information like the log file path, crash dump, number of instructions, number of errors to save, crash dump type etc.
  • 0

#18
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi, I will get back to you on this. Need to get additional help here as I have never dealt with this before.
  • 0

#19
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Thanks. It may also be relevant to add that when I opened msn messenger 7.0 this afternoon, for the first time in several days, I got the same postmortem debugger error that I get when I boot into windows. I tried opening it a couple of times to make sure it wasn't just a coincidence but the same error/freeze happened each time - I uninstalled the program to see if that would make a difference to the error/freeze when I start the computer but it didn't and then after doing that I also got the same error/freeze after starting firefox, so I don't know what that's all about - I won't do anything else until I hear back from you.
  • 0

#20
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, got back a reply :tazz:

Go to that box and click on view. When the view box shows up copy all the text and post it here.
  • 0

#21
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi, thanks for the quick reply. I can't click on the view button because their are no application errors to view and so the button isn't available to click, if that makes sense? Let me know what you think.
  • 0

#22
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So do you still get that "DrWatson postmortem debugger" error?
  • 0

#23
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Yes, I get the error and the freeze every time I boot into windows and now I also get it when I open certain programs, such as microsoft outlook.
  • 0

#24
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Can you view the log file now after you get the errors?
  • 0

#25
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
No, because when I get the error everything also freezes, until I crtl/alt/del the drwtsn32.exe process that is running and then things go back to normal so there hasn't been a point yet when I can access the view button. Is the postmortem debugger thing a genuine error linked to windows? Are both drwatson.exe and drwtsn32.exe suppose to be in the system32 folder? And, if not, couldn't I just get rid of the drwtsn32.exe? Also, you mentioned that there should be two ICO files in c:\Windows\system32 but there isn't so what does that mean and is there anyway I can repair/replace the missing file? Thanks for bearing with me.
  • 0

Advertisements


#26
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, can't believe I missed this earlier. thatman has pointed out to me that Ewido didn't clean up everything it found. So let's get rid of them now:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose Yes.

Delete these:

C:\Program Files\Common Files\csshare\plugins0942\npWTHost.dll
C:\Program Files\Netscape\Netscape 6\Plugins\npWTHost.dll
C:\WINDOWS\cfgmgr52\
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MARKETING32.exe
C:\WINDOWS\Downloaded Program Files\installer_MARKETING32.exe
C:\WINDOWS\Downloaded Program Files\popcaploader.dll
C:\WINDOWS\kmkdjbvnabr.exe
C:\WINDOWS\system32\hnuffi.exe
C:\WINDOWS\system32\lomhwf.exe
C:\WINDOWS\tdtb.exe
C:\WINDOWS\wyftnpja.exe


C:\Program Files\Microsoft AntiSpyware\Quarantine\ - delete everything in this Quarantine folder

Restart and run a new Ewido scan and post that log here. Also give me a new HijackThis log

Does DrWatson still come up now?

To answer your question, yes those two are legitmate files in the system32 folder.
  • 0

#27
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hi again,
I followed all of your instructions and deleted most of the files you listed - some weren't there. The new logs are below. I am still getting the dr watson error - unfortunately.


Logfile of HijackThis v1.99.1
Scan saved at 6:16:18 PM, on 6/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\D-Link\Air Utility\AirCFG.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\z5fip1k4.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\z5fip1k4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AdobeVersionCue] F:\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [D-Link Air Utility] C:\Program Files\D-Link\Air Utility\AirCFG.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D52954F-73E3-4409-A91F-B313260F4FC9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D52954F-73E3-4409-A91F-B313260F4FC9}: NameServer = 192.168.1.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D52954F-73E3-4409-A91F-B313260F4FC9}: NameServer = 192.168.1.1
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:15:30 PM, 6/6/2005
+ Report-Checksum: CBB37771

+ Date of database: 6/6/2005
+ Version of scan engine: v3.0

+ Duration: 47 min
+ Scanned Files: 144085
+ Speed: 50.13 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
F:\

+ Scan result:
C:\WINDOWS\cdmagent\hgrbknipem.exe -> Spyware.SmartPops -> Cleaned with backup


::Report End
  • 0

#28
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, I want you to uninstall XP SP2 now from the Add/Remove panel. Restart and install XP SP1a. See if that drwatson error still comes up now.
  • 0

#29
myob

myob

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
What about SP2? If I uninstall it then install XP SP1a will I just reinstall SP2 afterwards?
  • 0

#30
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I was told by another expert to give this a shot first since SP2 has some other feature that might have triggered the drwatson messages. See if SP1a will show anything about drwatson.

Post back the status. I will ask thatman to assist us further on whether you should install SP2 if everything is good after installing SP1a.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP