Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Pop-up Ads [RESOLVED]

Started by salex_007 , Jun 13 2005 12:36 PM

  • This topic is locked This topic is locked

#1
salex_007
Posted 13 June 2005 - 12:36 PM

salex_007

    New Member

  • Member
  • Pip
  • 6 posts
These ads stay on top of everything and if you click on the Exit X on the top right they slide off to whence they came. Here is my HijackThis Logfile and I have already run Ad-Aware and Norton Virus to clean the system but they continue to appear sporadically.


Logfile of HijackThis v1.99.1
Scan saved at 01:27:16 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\memsdo.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\WINDOWS\system32\vnaavl.exe
C:\WINDOWS\system32\mdmcurs.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
C:\Program Files\Winnov\Videum\WnvDStatus.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [sFsT37Q] memsdo.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [ijvdcmg] c:\windows\system32\ijvdcmg.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vnaavl.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [do33RXc2j] mdmcurs.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: 24-7 Alert.lnk = C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
O4 - Global Startup: Status Tool.lnk = C:\Program Files\Winnov\Videum\WnvDStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.o...rces/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114381910093
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.vs-us.com...vers/Live60.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://www.vs-us.com...vers/live54.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\Software\..\Telephony: DomainName = isis.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = isis.local
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\ctmaddin.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Is there anything else you will need?
  • 0

Advertisements

#2
greyknight17
Posted 13 June 2005 - 01:03 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Nope, this is all we need for now. Let's get this started:

Any idea what this program is for?

C:\Program Files\Winnov\Videum\WnvDStatus.exe

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download Ewido Security Suite at http://www.ewido.net/en/download/ and install it. Update to the newest definitions. If you have trouble updating, you may do it manually at http://www.ewido.net...wnload/updates/ Do NOT the Ewido scan yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Next run a full scan in Ewido. Save the log from the Ewido scan so that you can post it later.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [sFsT37Q] memsdo.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [ijvdcmg] c:\windows\system32\ijvdcmg.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vnaavl.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKCU\..\Run: [do33RXc2j] mdmcurs.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c8.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\memsdo.exe
C:\WINDOWS\system32\vidctrl\
C:\WINDOWS\system32\vnaavl.exe
C:\WINDOWS\system32\mdmcurs.exe
C:\Program Files\AutoUpdate\
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\system32\regsync.exe
c:\windows\system32\ijvdcmg.exe
C:\WINDOWS\system32\vnaavl.exe

Restart and run a new HijackThis scan. Save the log file and post it here.

Upload this file (C:\WINDOWS\system32\ctmaddin.dll) to this site. Report back what it found.
  • 0

#3
salex_007
Posted 13 June 2005 - 02:33 PM

salex_007

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
The WnvDStatus.exe file is a necessary file for a programming project I am working on.

I do not have a ctmaddin.dll to upload, so I do not know what to do on this part.

Here is the New HijackThis Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 03:20:27 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
C:\Program Files\Winnov\Videum\WnvDStatus.exe
C:\WINDOWS\system32\userinit.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [do33RXc2j] mdmcurs.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: 24-7 Alert.lnk = C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
O4 - Global Startup: Status Tool.lnk = C:\Program Files\Winnov\Videum\WnvDStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.o...rces/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114381910093
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.vs-us.com...vers/Live60.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://www.vs-us.com...vers/live54.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\Software\..\Telephony: DomainName = isis.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = isis.local
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\ctmaddin.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


and here is the Edwido Logfile:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 03:02:13 PM, 6/13/2005
+ Report-Checksum: 3F8538CA

+ Date of database: 6/13/2005
+ Version of scan engine: v3.0

+ Duration: 39 min
+ Scanned Files: 57453
+ Speed: 24.01 Files/Second
+ Infected files: 108
+ Removed files: 107
+ Files put in quarantine: 107
+ Files that could not be opened: 0
+ Files that could not be cleaned: 1

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntcc.exe -> TrojanDownloader.Qoologic.n -> Error during cleaning
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@11199995[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@18787707[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@26606202[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@35283272[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@55674483[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@63392527[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@65679750[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@67265735[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@70307935[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@72597726[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@77421188[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@79777648[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@87738116[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@burstnet[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@com[4].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@dcsc5k1y36twkfwddu2xlbvwn_2p6y[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@dcskf5ra3wievv2j7rl2dzj9r_8m4t[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@dcspmlfn66twkfocu55nbix84_4c4t[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S005-01-3-19-233247-61503[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S109868[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S109869[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S118485[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S141588[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@S147432[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@search123[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Local Settings\Temp\temp.fr9D0B\EliteToolBar version 60.dll -> Spyware.EliteBar.af -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\BXZL86Z7\Gummy[1].class -> Trojan.Java.Femad -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\EPNUIS8O\web[2].htm -> TrojanDownloader.VBS.Psyme.ap -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\pcs_0002[1].exe -> Spyware.Pacer.b -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@11199995[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@18787707[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@26606202[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@35283272[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@55674483[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@63392527[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@65679750[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@67265735[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@70307935[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@72597726[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@77421188[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@79777648[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@87738116[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@burstnet[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@dcsc5k1y36twkfwddu2xlbvwn_2p6y[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@dcskf5ra3wievv2j7rl2dzj9r_8m4t[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@dcspmlfn66twkfocu55nbix84_4c4t[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@link[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S005-01-3-19-233247-61503[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S109868[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S109869[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S118485[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S141588[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@S147432[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Laptop\Zips\Cookies\salexander@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.DelphinMedia.Viewer.f -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaAccX.dll -> Spyware.WinAD -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pcs_0002.exe -> Spyware.Pacer.b -> Cleaned with backup
C:\WINDOWS\protector.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\system\UpdInst.exe -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINDOWS\system32\boqqbxd.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\COMMCOS2.DLL -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINDOWS\system32\ctmaddin.dll -> Spyware.Look2Me.ab -> Cleaned with backup
C:\WINDOWS\system32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\system32\pdqqp.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\system32\pvyyp.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\regsync.exe -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\system32\vbrundll.dll -> Spyware.SafeSurfing -> Cleaned with backup
C:\WINDOWS\system32\vnaavl.exe -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\system32\zgbbzno.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup


::Report End

Looking at this Norton and Ad-Aware missed a few things.

I also noticed that when I came back up, there was a New Icon on my desktop, named...Wasssssup!

Any advice on getting rid of this one?
  • 0

#4
greyknight17
Posted 13 June 2005 - 04:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, that ctmaddin.dll file should be gone before you did the scan since Ewido removed it.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run Ewido again and save the log when it's done.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [do33RXc2j] mdmcurs.exe
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\ctmaddin.dll (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ntcc.exe
c:\windows\system32\mdmcurs.exe

Restart and run a new HijackThis scan. Save the log file and post it here along with the Ewido log.
  • 0

#5
salex_007
Posted 14 June 2005 - 07:31 AM

salex_007

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the new HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 08:26:20 AM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Winnov\Videum\WnvDStatus.exe
C:\WINDOWS\system32\userinit.exe
\ISIS-SERVER\Clients\Setup\applnch.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [do33RXc2j] mdmcurs.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: 24-7 Alert.lnk = C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
O4 - Global Startup: Status Tool.lnk = C:\Program Files\Winnov\Videum\WnvDStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.o...rces/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114381910093
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.vs-us.com...vers/Live60.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://www.vs-us.com...vers/live54.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\Software\..\Telephony: DomainName = isis.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = isis.local
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Here is the last Ewido scan:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 06:00:57 PM, 6/13/2005
+ Report-Checksum: 5BE54DB8

+ Date of database: 6/13/2005
+ Version of scan engine: v3.0

+ Duration: 23 min
+ Scanned Files: 29327
+ Speed: 20.42 Files/Second
+ Infected files: 7
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@atdmt[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\[email protected][1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@hitbox[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\SAlexander.isis\Cookies\salexander@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End



The problem is that the Wassssup! Icon is still on my desktop. Am I still infected? I figured this would all be cleared up by now.
  • 0

#6
greyknight17
Posted 14 June 2005 - 04:14 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you know what this program is for?

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Please run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here

Right click on http://www.silentrun...ent Runners.vbs and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on 'Silent Runners' to run it. This will take a few minutes. It will create a file called 'Startup Programs' followed by your computer name and current date. Open up that file and post all the contents here in your next post.
  • 0

#7
salex_007
Posted 15 June 2005 - 07:43 AM

salex_007

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
OK...The CasClient File I found out was associated with the Wasssup! file on my Desktop. I have since removed it through its Uninstall routine. Here are the scans you requested, it looks like more problems are arising with each scan. Tell me if I am wrong...

PandaScan:


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Betting.lnk
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\All Users\Application Data\AdDestroyer
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Casino & Carrers
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Tech & gadgets.lnk
Virus:W32/Sober.I.worm Renamed Mailbox\Personal\Personal\Re: Your mail password\aol.DOC.scr
Virus:Exploit/Codebase.gen Disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\1Y79L54T\web[1].htm
Adware:Adware/Apropos No disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\auto_update[1].txt
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\classload[1].jar[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\classload[1].jar[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\classload[1].jar[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\SAlexander.isis\Local Settings\Temporary Internet Files\Content.IE5\MSA8W0HC\classload[1].jar[Installer.class]
Virus:W32/Mytob.S.worm Disinfected Personal Folders\Deleted Items\hello\document.zip[document.htm .exe]
Virus:W32/Sober.I.worm Renamed Personal Folders\Inbox\Re: Your mail password\aol.DOC.scr
Adware:Adware/Pacimedia No disinfected C:\RECYCLER\S-1-5-21-1482476501-1592454029-839522115-1005\Dc4.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Virus:W32/Sober.I.worm Renamed Mailbox\Personal\Personal\Re: Your mail password\aol.DOC_SCR.VIR


StartupPrograms:

"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow!\shlext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{F51C8712-2295-4543-A4A2-040470361535}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ctmaddin.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Salexander" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"24-7 Alert" -> shortcut to: "C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe -d 10,000" ["Digital Information Network"]
"Status Tool" -> shortcut to: "C:\Program Files\Winnov\Videum\WnvDStatus.exe" ["Winnov"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}\ = "Web Offer Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TopText\eapbh.dll" [file not found]

{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}\ = "Web Offer Bar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TopText\eapbh.dll" [file not found]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://companyweb

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, ""C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MSSQLServer, MSSQLServer, "C:\MSSQL7\binn\sqlservr.exe" [MS]
Symantec AntiVirus Client, Norton AntiVirus Server, ""C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#8
greyknight17
Posted 15 June 2005 - 02:50 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Thanks for the update on that CasClient program. We will remove it now.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. OK, before we go on, I want you to take note of this first. This program will wipe out all files in your Temporary folders, any file extensions that have a tilde (~) in it, .bak files, .chk files, .tmp files and index.dat files. Most of you should be ok with this, but there may be some who need these files. If you are one of them, do not follow this step. Post back a reply telling us about this. So if that's ok, then download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on CleanUp! button. Once it's done, you may click the Close button. When asked if you want to logoff, choose No.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint
AdDestroyer

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars and delete these:
{9FF56D85-DB4F-4267-B669-8D05B0BF9A04}
{F7384C48-97B6-45DF-A2FA-1D7762D32F9C}

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved and delete {F51C8712-2295-4543-A4A2-040470361535}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete ViewMgr

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Documents and Settings\All Users\Application Data\AdDestroyer
C:\Documents and Settings\SAlexander.isis\Favorites\Casino & Carrers
C:\Documents and Settings\SAlexander.isis\Favorites\Fun & Games\
C:\Documents and Settings\SAlexander.isis\Favorites\Going Places\
C:\Documents and Settings\SAlexander.isis\Favorites\Shop\
C:\Documents and Settings\SAlexander.isis\Favorites\Technology\
aol.DOC.scr
aol.DOC.scr
C:\RECYCLER\S-1-5-21-1482476501-1592454029-839522115-1005\Dc4.exe
C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
aol.DOC_SCR.VIR
C:\Program Files\Viewpoint\
C:\Program Files\Cas\
C:\PROGRA~1\TopText\

Restart and do the following:

*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again, do the same thing again if anything is found. You may have to run RegSeeker 5 -6 times, but you want it showing none to very few items. *Make sure to reboot between each use of the program.

After that's done, run a new HijackThis scan. Save the log file and post it here. Also give me a new scan/log for Panda and Silent Runners.
  • 0

#9
salex_007
Posted 16 June 2005 - 07:18 AM

salex_007

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the Panda Log:



Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Adware Remover.lnk
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/WinTools No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Finances & Business
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/Weirdontheweb No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\WeirdOnTheWeb.url
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\SAlexander.isis\Application Data\Sskcwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\SAlexander.isis\Application Data\Sskknwrd.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\SAlexander.isis\Application Data\Sskuknwrd.dll
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Technology\Tech & gadgets.lnk
Virus:W32/Sober.I.worm Renamed Mailbox\Personal\Personal\Re: Your mail password\aol.DOC_SCR.VIR
Virus:W32/Sober.I.worm Renamed Personal Folders\Inbox\Re: Your mail password\aol.DOC_SCR.VIR
Adware:Adware/Pacimedia No disinfected C:\RECYCLER\S-1-5-21-1482476501-1592454029-839522115-1005\Dc4.exe
Virus:W32/Sober.I.worm Renamed Mailbox\Personal\Personal\Re: Your mail password\aol.DOC_SCR.VIR


Here is the Silent Runner Log:

"Silent Runners.vbs", revision 38, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe" ["Symantec Corporation"]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow!\shlext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{6B19FEC2-A45B-11CF-9045-00A0C9039735}" = "Registered ActiveX Controls"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{D545EBD1-BD92-11CF-8772-00A0C9039735}" = "Developer Studio Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Visual Studio\Common\MSDev98\Bin\IDE\DEVXPGL.DLL" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\system32\NavLogon.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\system32\logon.scr" [MS]


Startup items in "Salexander" & "All Users" startup folders:
------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"24-7 Alert" -> shortcut to: "C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe -d 10,000" ["Digital Information Network"]
"Status Tool" -> shortcut to: "C:\Program Files\Winnov\Videum\WnvDStatus.exe" ["Winnov"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://companyweb

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
DefWatch, DefWatch, ""C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MSSQLServer, MSSQLServer, "C:\MSSQL7\binn\sqlservr.exe" [MS]
Symantec AntiVirus Client, Norton AntiVirus Server, ""C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe" [null data]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


Based upon your last response, I searched my drive for aol.DOC.scr and aol.DOC_SVR.vir files and could not find them. I also could not locate the TopText directory. I had to run RegSeeker about 4 times and it finally came back with nothing found, so that was all cleared up I think.

Edited by salex_007, 16 June 2005 - 07:22 AM.

  • 0

#10
greyknight17
Posted 16 June 2005 - 12:00 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, Regseeker may require a few cleaning. Just so you know, more stuff will come up (they don't necessarily mean it's bad) the next time you can. It's just that almost everything you do in the computer may be recorded in the registry. For example, opening up a word document may write a few entries into the registry. That's normal :tazz:

For those aol.doc files, I'm not sure where they are really. Do you use Outlook or Outlook Express for your emails? I see these files are infected in the following folders (assuming you use Outlook or OE):

Mailbox\Personal\Personal\Re: Your mail password\aol.DOC_SCR.VIR
Personal Folders\Inbox\Re: Your mail password\aol.DOC_SCR.VIR
Mailbox\Personal\Personal\Re: Your mail password\aol.DOC_SCR.VIR

Maybe you can find them there. You might want to delete the whole Re: Your mail password if you don't know what that is. It might be the virus email you got.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Uninstall WindUpdates, MyWebSearch

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\Documents and Settings\SAlexander.isis\Favorites\WeirdOnTheWeb.url
C:\Documents and Settings\SAlexander.isis\Application Data\Sskcwrd.dll
C:\Documents and Settings\SAlexander.isis\Application Data\Sskknwrd.dll
C:\Documents and Settings\SAlexander.isis\Application Data\Sskuknwrd.dll
C:\RECYCLER\S-1-5-21-1482476501-1592454029-839522115-1005\Dc4.exe

Delete these manually:

C:\Documents and Settings\All Users\Start Menu\Programs\Web Search Tools
C:\Documents and Settings\SAlexander.isis\Favorites\Finances & Business
C:\Documents and Settings\SAlexander.isis\Favorites\Technology\

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run and delete these if found:
dw79rfk4e
autoloaderaproposclient
autoloadertw011aklknla
autoupdater
pm7r36p
s7ov3pe

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CLASSES_ROOT\clsid\{016235be-59d4-4ceb-add5-e2378282a1d9}]
[-HKEY_CLASSES_ROOT\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}]
[-HKEY_CLASSES_ROOT\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}]
[-HKEY_CLASSES_ROOT\interface\{b548b7d8-3d03-4aed-a6a1-4251fad00c10}\inavigateevent]
[-HKEY_CLASSES_ROOT\interface\{b99a727f-0782-4a71-bcc2-6e1e66414904}\inavigateevent2]
[-HKEY_CLASSES_ROOT\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}]
[-HKEY_CURRENT_USER\software\apropos]
[-HKEY_CURRENT_USER\software\classes\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dw79rfk4e]
[-HKEY_LOCAL_MACHINE\software\apropos]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{016235be-59d4-4ceb-add5-e2378282a1d9}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoloaderaproposclient]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoloadertw011aklknla]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\autoupdater]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\pm7r36p]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\s7ov3pe]
[-HKEY_USERS\.default\software\microsoft\windows\currentversion\internet settings\zonemap\domains\apropos-media.com]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Restart and post back a new Panda and HijackThis log. We should almost be done now. ;)
  • 0

#11
salex_007
Posted 16 June 2005 - 04:11 PM

salex_007

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here is the Panda Scan:


Incident Status Location

Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\SAlexander.isis\Favorites\Health & Insurance
Adware:Adware/MyWebSearch No disinfected Windows Registry
Virus:W32/Sober.I.worm Renamed Personal Folders\Inbox\Re: Your mail password\aol.DOC_SCR.VIR

Here is the HiJackThis scan:
Logfile of HijackThis v1.99.1
Scan saved at 05:10:37 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
C:\Program Files\Winnov\Videum\WnvDStatus.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\My Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: 24-7 Alert.lnk = C:\Program Files\Common Files\24-7 Alert\TrueWeather.exe
O4 - Global Startup: Status Tool.lnk = C:\Program Files\Winnov\Videum\WnvDStatus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...e
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://public.ansi.o...rces/msddsc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114381910093
O16 - DPF: {7D30109B-DD2B-4339-BE80-1CD48723C2BC} (LiveX(v6.0)) - http://www.vs-us.com...vers/Live60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BF5E26B7-7087-4C2D-B0BA-0098F7CBED6B} (LiveX(5.4.0.0) Control) - http://www.vs-us.com...vers/live54.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\Software\..\Telephony: DomainName = isis.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = isis.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = isis.local
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



I hope this is getting close to the end...
  • 0

#12
greyknight17
Posted 16 June 2005 - 05:11 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Those should be minor registry entries. :tazz:

Check and fix these in HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...e

Delete this folder:

C:\Documents and Settings\SAlexander.isis\Favorites\Health & Insurance

Were you able to delete the aol thing? Do you use Outlook or OE? I still see this entry:

Personal Folders\Inbox\Re: Your mail password\aol.DOC_SCR.VIR

Download ETRemover and unzip it. Don't run it yet.

Boot into Safe Mode and run ETRemover.exe. Then restart your computer.

*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again, do the same thing again if anything is found. You may have to run RegSeeker 5 -6 times, but you want it showing none to very few items. *Make sure to reboot between each use of the program.

Your log is clean.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Make sure to get the latest updates for Windows and Internet Explorer at http://v5.windowsupd...t.aspx?ln=en-us.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#13
greyknight17
Posted 21 July 2005 - 09:36 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP