Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hijack This Log [RESOLVED]


  • This topic is locked This topic is locked

#31
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
browser.exe

Compiled AutoIt Script
Third-party compiled AutoIt script. For details visit http://www.hiddensoft.com/AutoIt/
2.64.0.0


epsuninst.exe

e-PocketSetup Uninstaller
3.3.0.1
Copyright © 2002 Marcelo Bona Boff
I've never heard of it...
  • 0

Advertisements


#32
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Does this sound familiar at all?

Software Publisher's Description
e-PocketSetup is the new generation of Windows/Windows NT, Windows CE devices and Palm OS devices setup generator. You have a full control of the setup program, creating your own setup dialogs, changing the setup actions, designing your background window. Version 3.6 adds support for Windows Mobile 2003 devices, including Pocket PC 2003.

It isn't malicious so it's nothing to worry about.

Let me see if I can find anything out about that other one.
  • 0

#33
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Hmm...might have installed it a LONG time ago...I don't use it now that's for sure...I was wondering about the lsass.exe program crashing randomly...I forces a reset on my computer and it's super annoying!! Thanks again for your extensive help banana, I really appreciate it!
  • 0

#34
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Post another HiJackThis log for me please.

We are going to remove optional items from startup, then we are going to use a registry cleaner to see if that helps anything.
  • 0

#35
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Oops wrong topic :tazz:

Edited by bananafanafo, 08 June 2005 - 11:02 PM.

  • 0

#36
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok, I have no clue what this browser.exe is so, this is what we're going to do:

Upload it to see if it appears to be a virus threat.

Go here:

http://www.kaspersky.com/scanforvirus

click the "browse" button, then locate C:\Windows\browser.exe and click submit. Let me know what it says.

Edited by bananafanafo, 08 June 2005 - 11:49 PM.

  • 0

#37
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
You're clean!

Kaspersky Anti-Virus has not detected any viruses at this time in the file you submitted.

However, only a fully-functional antivirus solution with regularly updated virus definitions can ensure comprehensive protection against malware. If you do not have an antivirus solution installed, you may wish to consider purchasing one today.

* Download a trial version of Kaspersky Anti-Virus
* Purchase Kaspersky Anti-Virus in our E-Store
* Purchase Kaspersky Anti-Virus from a certified partner



Scanned file: browser.exe
browser.exe - OK
  • 0

#38
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please post another HijackThis log please so we can remove optional items from startup.
  • 0

#39
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:54:53 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\wkssvc.exe
C:\WINDOWS\System32\ntsubsys.exe
C:\Program Files\PokerStars.NET\PokerStars.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#40
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You are re-infected with the worm (slightly different version). Please try avoid surfing the internet as much possible while we're trying to get rid of it otherwise it will get worse.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\wkssvc.exe
C:\WINDOWS\msdarkend.exe
C:\WINDOWS\System32\ntsubsys.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:

Workstation Service Library

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):

Microsoft Locator Service

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.

After reboot, run HiJackThis. Place a check next to the following items and click FIX CHECKED:

O4 - HKLM\..\Run: [DiskCheck] "C:\WINDOWS\msdarkend.exe"
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\ntsubsys.exe


Post a new HiJackThis log.
  • 0

Advertisements


#41
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:42:49 AM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#42
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
We need to do this again:

Please follow all instructions exactly as specified. I would advise printing them out so you're sure to follow all instructions.

Copy the below instructions (until you get to the purple text). Paste them into notepad and save it for use while in Safe Mode. This is important because it has to be done exactly in order for this to work

I need you to reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. use your up arrow key to highlight Safe Mode, then hit enter.

After getting into Safe Mode, Go to Start > Run type in:

cmd

Click OK.

A black window will open up.

Copy the below line, exactly, and paste it into the black window:

attrib -h -r -s C:\WINDOWS\system32\rdriv.sys

Hit Enter.

When it goes to the next line, copy the below line, exactly, and paste it into the black window:

del C:\WINDOWS\system32\rdriv.sys

Hit Enter.

Then type exit

[END OF INSTRUCTIONS TO COPY FOR SAFE MODE]

Reboot into normal mode.

RIGHT-CLICK HERE and Save As (in Internet Explorer, it's "Save Target As") in order to download the fixrdriv.reg file. Save it to your deskop.

Locate fixrdriv.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

After the "merged successfully" prompt, please do the following:

* Download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\system32\rdriv.sys
C:\WINDOWS\ItunesMusic.exe
C:\WINDOWS\wkssvc.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

While it's restarting, contiunally tap F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

In Safe Mode, Run CleanUp!
  • Still in Safe Mode...,
  • Run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot into normal mode.

I need you to post the log from Ewido, and a new HiJackThis log into this topic.

Edited by bananafanafo, 10 June 2005 - 01:33 PM.

  • 0

#43
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Strange thing is that I'm now automatically updating my computer with the XP auto updates...never used to do that before...Anyways, here ya go! Thanks a million!

Logfile of HijackThis v1.99.1
Scan saved at 3:23:16 AM, on 6/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\palmOne\Hotsync.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\e9b0377463edd4b6480f6148a1f88bac\update\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ElliotChi\Desktop\HiJack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O5 "LPT1:" /M "Stylus C82"
O4 - HKLM\..\Run: [CASpeed] "C:\Program Files\Cable e ADSL Speed\NtwCA.exe" /HIDE
O4 - HKLM\..\Run: [DXDllRegExe] C:\WINDOWS\System32\dxdllreg.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBC Self Support Tool\SmartBridge\MotiveSB.exe
O4 - HKLM\..\Run: [TangoManager] C:\Program Files\Covad\Covad DSL\app\TangoManager.exe
O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Tweak-XP] C:\Program Files\Tweak-XP\Tweak-xp.exe -ex
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [BullguardoptIn] C:\WINDOWS\Temp\BullGuard\bulldownload.exe
O4 - HKCU\..\RunOnce: [MPlayer2_FixUp] C:\WINDOWS\inf\unregmp2.exe /Fixups
O4 - HKCU\..\RunOnce: [RunPalmPIL] "C:\Program Files\palmOne\pil.exe"
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - http://files.member....c/yinsthdlk.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Here's the ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:18:28 AM, 6/13/2005
+ Report-Checksum: 7FC834F2

+ Date of database: 6/7/2005
+ Version of scan engine: v3.0

+ Duration: 46 min
+ Scanned Files: 71923
+ Speed: 25.83 Files/Second
+ Infected files: 38
+ Removed files: 38
+ Files put in quarantine: 38
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069543.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069544.DLL -> Spyware.ClearSearch.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069545.exe/re11.REG -> Trojan.LowZones.a -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069546.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069547.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069548.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069549.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069550.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069551.dll -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069552.exe -> Spyware.Adtomi.e -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069553.dll -> Spyware.VirtualBouncer.d -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069554.scr -> TrojanDownloader.NSIS.gen -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069555.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069556.exe -> Trojan.AproposAd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069557.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069558.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069559.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069560.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069561.exe -> Trojan.Delf.cf -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069562.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069563.exe -> Backdoor.Rbot -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069564.exe -> Spyware.WinFetcher.b -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069565.dll -> TrojanDownloader.Dyfuca.eg -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069566.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP301\A0069578.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070863.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070868.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070874.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP303\A0070880.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070885.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0070893.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071003.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0071013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072013.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072015.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072058.sys -> Trojan.Rootkit.k -> Cleaned with backup
C:\System Volume Information\_restore{01787B9C-9954-4113-BF2C-7D16B6C755BE}\RP304\A0072070.exe -> Backdoor.SdBot.xd -> Cleaned with backup
C:\WINDOWS\Temp\__delete_on_reboot__~168099.tmp -> Spyware.Wintol.p -> Cleaned with backup


::Report End
  • 0

#44
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts

Strange thing is that I'm now automatically updating my computer with the XP auto updates...never used to do that before.

I have it set that way in the fixrdriv.reg you ran earlier.

Are you having any other problems?

You NEED Service Pack 2 otherwise you will become infected with this worm again.
  • 0

#45
elliotc02

elliotc02

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
The only problem I have left is that when I'm using my computer, it will randomly have an error that reads:

lsass.exe failed

I click ok and my computer restarts in 60 seconds...not sure what to do with that, but that's the only problem I have left!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP