Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

registry infected?!


  • Please log in to reply

#1
edooo20

edooo20

    New Member

  • Member
  • Pip
  • 4 posts
OKej this is the thing, when i open explorer something creates 1-3 files in my windows folder, there are many different filenames, in this logg there is

C:\WINDOWS\sysvz32.exe
C:\WINDOWS\javamn.exe


when i scan my pc and delete them, its all good, until i open explorer, then i get new files


Logfile of HijackThis v1.99.1
Scan saved at 23:38:14, on 2005-06-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\javamn.exe
C:\WINDOWS\sysvz32.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - C:\WINDOWS\system32\addva32.dll
O4 - HKLM\..\Run: [sysvz32.exe] C:\WINDOWS\sysvz32.exe
O4 - HKLM\..\RunOnce: [javamn.exe] C:\WINDOWS\javamn.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/Ch...VideoContol.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pdownloader.cab
O23 - Service: Network Security Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\atllc.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program\NetLimiter 2\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)
  • 0

Advertisements


#2
little eagle

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Download CWShredder to your desktop.
Please do not do anything with it yet.

Download AboutBuster also to your desktop.
Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Run AboutBuster.exe. Then hit Ok, note that there is now an update
button. Hit update and 'Check for Update'. If there is a newer
version hit 'Download Update'.You should not run the program yet so click "Exit.

Download cwsserviceremove.zip.
Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.

Download Pocket Killbox and unzip it; save it to your Desktop.

And last one we need to
Please download and install this disk cleanup utility called Cleanup! Don't run it yet.

It will get rid of any malware which may be hiding in your temp folders.
You will also regain a massive amount of disk space.
Here is a tutorial which describes its usage:

Now reconfigure Windows to show hidden files insturctions here.

Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Network Security Service (NSS)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.



Reboot in safe mode insturctions here.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {007F3E5D-5957-E86E-8681-82EE2B1C5E7F} - C:\WINDOWS\system32\addva32.dll
O4 - HKLM\..\Run: [sysvz32.exe] C:\WINDOWS\sysvz32.exe
O4 - HKLM\..\RunOnce: [javamn.exe] C:\WINDOWS\javamn.exe
O23 - Service: Network Security Service ( 11Fßä #•ºÄÖ`I) - Unknown owner - C:\WINDOWS\atllc.exe (file missing)


Run Killbox, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time
C:\WINDOWS\system32\addva32.dll
C:\WINDOWS\sysvz32.exe
C:\WINDOWS\javamn.exe
C:\WINDOWS\atllc.exe


Run CWShredder:
Double-click on CWShredder.exe.
Click "Fix ->" and click "OK" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "Next->" and then "Exit".

Double-click on cwsserviceremove.reg you downloaded earlier.
When it asks you to merge the information to the registry click "Yes".

Run AboutBuster and save the logs:
Run AboutBuster.exe.
Click OK at the directions prompt.
Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I need a copy of it.

Run Cleanup
Under windows tab check internet explorer, windows explorer, and system.
Then click Run Cleaner.

Restart your computer normally to return to normal mode.

Run AV scan, allow them to delete whatever they find:
TrendMicro HouseCall
Note any thing that can't be fixed.
Hopefuly the only thing that cann't be fix is in your system restore, Which we need to clean out later.


Then post a fresh HijackThis log and the AboutBuster log back into this thread.
Please note any complications you had and anything instructions that you could not Follow.
  • 0

#3
edooo20

edooo20

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
thanks alot dude, so far it looks good, i think im rid of the [bleep] :tazz:
  • 0

#4
little eagle

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
post another log when done please :tazz:
  • 0

#5
edooo20

edooo20

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Logfile of HijackThis v1.99.1
Scan saved at 00:53:34, on 2005-06-04
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\NetLimiter 2\nlsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\NetLimiter 2\NLClient.exe
C:\Program\Yahoo!\Messenger\YPager.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Microsoft Office\Office10\WINWORD.EXE
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program\Webroot\Spy Sweeper\SpySweeper.exe" /0
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program\expektMPP\MPPoker.exe
O16 - DPF: {02CA9974-B6AC-497E-A371-73580432B0F6} (Eyeball Video Message Control) - http://imlive.com/Ch...VideoContol.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - http://messenger.msn...pdownloader.cab
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program\NetLimiter 2\nlsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\System32\nvsvc32.exe (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe (file missing)




new logg =)
  • 0

#6
little eagle

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Download the trial version of TDS-3
Install it, but do not launch it yet

Update it hereright click, select "save as"

Save it to the directory where you installed TDS-3, overwriting the previous radius.td3.

Then launch TDS-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while )
right click the list> select save as txt. save it and post the contents of the scandump.txt here.

After posting the scandump go ahead and right click the list of detections again. this time select delete!
Only delete those with positive identification.
  • 0

#7
edooo20

edooo20

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Scan Control Dumped @ 02:36:16 04-06-05
RegVal Trace: DDoS.RAT.rBot: HKEY_CURRENT_USER
File: Software\Microsoft\OLE [Systray=w32explorer.exe]

RegVal Trace: DDoS.RAT.rBot: HKEY_LOCAL_MACHINE
File: Software\Microsoft\OLE [Systray=w32explorer.exe]

Suspicious Filename: Dual extensions
File: c:\documents and settings\edo\skrivbord\avicodec_1.1.0.4.exe

Suspicious Filename: Dual extensions
File: c:\documents and settings\edo\skrivbord\matroska_pack_full_v1.1.1.exe

Positive identification: Riskware.ProcessRestart
File: c:\program\logitech\desktop messenger\8876480\6.1.4.68-8876480l\program\restart.exe

Positive identification: Adware.BargainBuddy.q2
File: c:\windows\exdl.exe

Positive identification: Adware.Toolbar.UCMore Dropper.e
File: c:\windows\ucmoreiex.exe

Positive identification (embedded in file): PSW.PdPinch.ai
File: c:\windows\vr_sys.dll

Positive identification: PSW.LdPinch.os
File: c:\windows\system32\abc.exe

Positive identification: Trojan.Win32.Pakes.s
File: c:\windows\system32\midwan.exe

Positive identification: Adware.BargainBuddy.n12
File: c:\windows\system32\msxct.exe

Positive identification: Trojan.Win32.Pakes.t
File: c:\windows\system32\nvomt331.exe

Positive identification: Hoax.Win32.Renos.a
File: c:\windows\system32\vxh8jkdq2.exe

Positive identification (DLL): TrojanProxy.Win32.Small.bo (dll)
File: c:\windows\system32\wldr.dll

Positive identification (DLL): Trojan.Win32.WebSearch.j (dll)
File: c:\windows\system32\services\{1e78d8fd-378b-4d73-828d-3574d7b0e324}\svchost.dll

Positive identification (DLL): Trojan.Win32.WebSearch.j1 (dll)
File: c:\windows\system32\services\{1e78d8fd-378b-4d73-828d-3574d7b0e324}\svchost32.dll


Thats all, looks good? :tazz:
  • 0

#8
little eagle

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Delete the ones with Positive identification

Then post another hijackthis log :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP