Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

malware infection

Started by simon harrison , Jun 17 2005 01:58 AM

  • Please log in to reply

#1
simon harrison
Posted 17 June 2005 - 01:58 AM

simon harrison

    Member

  • Member
  • PipPip
  • 21 posts
Hi

I've been helped by you guys before very successfully and I'm back. My work PC seems clean enough from all the preventative software you recommend but there's a couple of strange things occurring: It's and XP Pro PC which has an issue on shutdown such that it tries to reboot (I've now turned off autoreboot on blue screen) and also the dialogue box for display shows no tabs only the themes section. if i change the theme and apply i can just see the top edge of the tabs and i get an error message rundll32.exe not found appn failed as gdiplus.dll not found. i only think this is malware as i've read a bit about a gdiplus trojan. ewido didn't find it. whilst here and out of interest do you consider it worth paying the $20 for the full ewido suite, does it add much over the manually run system?

here's my hjt

thanks in advance for your help.

simon harrison

Logfile of HijackThis v1.99.1
Scan saved at 08:44:42, on 17/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\DeskView\DNAgent\DNAgent.Exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\PROGRA~1\DeskView\DVAnPMan\DVAnPMan.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PC-Duo Enterprise Client\clMeterSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PC-DUO~2\ClBoot32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\WINDOWS\system32\userinit.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\HarrisonS\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=192.168.000.109:1080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LUGuard] C:\PC-DUO~2\LUGuard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cchuk.webex....ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C70ABE7-D71C-49BB-AE8D-A80EA0D740FD}: NameServer = 192.168.0.182
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DeskView Agent - Fujitsu Siemens Computers - C:\PROGRA~1\DeskView\DNAgent\DNAgent.Exe
O23 - Service: DeskView AnP Manager (DVAnPMan) - Fujitsu Siemens Computers - C:\PROGRA~1\DeskView\DVAnPMan\DVAnPMan.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FSC ServerView Services - Fujitsu Siemens Computers - C:\PROGRA~1\FUJITS~1\SERVER~1\SERVER~1\scripts\SERVER~1\SnmpTrap\AlarmService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANutil32 Distribution Agent - Vector Networks Limited - C:\PC-Duo Enterprise Client\CLDISTSVC.EXE
O23 - Service: LANutil32 Scheduler - Unknown owner - C:\Program Files\PC-Duo Enterprise\LU32Scheduler.exe
O23 - Service: LANutil32 Software Metering Agent - Vector Networks Limited - C:\PC-Duo Enterprise Client\clMeterSvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

Advertisements

#2
Metallica
Posted 12 July 2005 - 05:07 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
I assume you installed this software yourself?
http://www.vector-ne...ote-control.php

I can't see any malware running.

Regards,
  • 0

#3
simon harrison
Posted 13 July 2005 - 02:09 AM

simon harrison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Pieter
Yes this software is ok. The pc isn't running badly apart from shutdown and the display dialogue box. I was concerned as I had smitfraud-c at home (which usetobe resolved) and this attacked the display dialogue taking out all the tabs. Since my original post I have reinstalled gdiplus.dll but the tabs issue remains. If I change the theme then I can just see the top edge of the tabs enough to navigate. Should I just put up with it as there are no malware issues?

Cheers

Simon
  • 0

#4
Metallica
Posted 13 July 2005 - 03:26 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Copy the part in bold below into notepad and save it as permitall.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager]
"ThemeActive"="1"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,72,00,65,00,73,00,6f,00,75,00,72,00,63,00,65,00,73,00,5c,\
00,54,00,68,00,65,00,6d,00,65,00,73,00,5c,00,6c,00,75,00,6e,00,61,00,5c,00,\
6c,00,75,00,6e,00,61,00,2e,00,6d,00,73,00,73,00,74,00,79,00,6c,00,65,00,73,\
00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-
"NoAddingComponents"=-
"NoComponents"=-
"NoDeletingComponents"=-
"NoEditingComponents"=-
"NoCloseDragDropBands"=-
"NoMovingBands"=-
"NoHTMLWallPaper"=-


Doubleclick the file and confirm you want to merge it with the registry.

Reboot and check under Properties of your desktop if the Browse button is usable again.

Regards,
  • 0

#5
simon harrison
Posted 13 July 2005 - 03:52 AM

simon harrison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Pieter

No change I'm afraid. I'm not sure those changes were made to the registry, although the file asked if they were to be added. I've looked in regedit and there's no sign of the information in your file.


In this section [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager] I found the following line as dllname reg_expand_sz


%SystemRoot%\resources\Themes\luna\luna.msstyles.

Regards

Simon
  • 0

#6
Metallica
Posted 13 July 2005 - 11:27 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
luna.msstyles
That is the style that is commonly known as the `XP style` as opposed to the ´classic style´

The hex I posted gets translated to that entry, so it isn´t different from what you imported.

I assumeD you already tried this regfile:
http://metallica.gee...m/smitfraud.reg
If not, you should.

Regards,
  • 0

#7
simon harrison
Posted 14 July 2005 - 02:22 AM

simon harrison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Pieter

I hadn't run the smitfraud one; now I have there is no change. If you think it's nothing sinister don't worry about sorting it. When I shutdown I still get a blue screen (i've turned off auto reboot) and on reboot an error submission request.

Here's my latest hjt log for your lookover.

Thanks

Simon
  • 0

#8
simon harrison
Posted 14 July 2005 - 02:23 AM

simon harrison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
oops and here is the log...

Logfile of HijackThis v1.99.1
Scan saved at 09:13:04, on 14/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\PROGRA~1\DeskView\DNAgent\DNAgent.Exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\PROGRA~1\DeskView\DVAnPMan\DVAnPMan.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PC-Duo Enterprise Client\clMeterSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Documents and Settings\HarrisonS\Desktop\HijackThis.exe
C:\Program Files\Common Files\Network Associates\McUpdate\MCUPDATE.EXE
C:\Program Files\Common Files\Network Associates\LWI\LWI.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.fujitsu-siemens.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=192.168.000.109:1080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [LUGuard] C:\PC-DUO~2\LUGuard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Phone Connection Monitor.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.fujitsu-siemens.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cchuk.webex....ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C70ABE7-D71C-49BB-AE8D-A80EA0D740FD}: NameServer = 192.168.0.182
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DeskView Agent - Fujitsu Siemens Computers - C:\PROGRA~1\DeskView\DNAgent\DNAgent.Exe
O23 - Service: DeskView AnP Manager (DVAnPMan) - Fujitsu Siemens Computers - C:\PROGRA~1\DeskView\DVAnPMan\DVAnPMan.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: FSC ServerView Services - Fujitsu Siemens Computers - C:\PROGRA~1\FUJITS~1\SERVER~1\SERVER~1\scripts\SERVER~1\SnmpTrap\AlarmService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANutil32 Distribution Agent - Vector Networks Limited - C:\PC-Duo Enterprise Client\CLDISTSVC.EXE
O23 - Service: LANutil32 Scheduler - Unknown owner - C:\Program Files\PC-Duo Enterprise\LU32Scheduler.exe
O23 - Service: LANutil32 Software Metering Agent - Vector Networks Limited - C:\PC-Duo Enterprise Client\clMeterSvc.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
  • 0

#9
Metallica
Posted 14 July 2005 - 03:38 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
We are trying all kinds of stuff for a similar problem with the tabs here:
http://www.geekstogo...t39509-s30.html

Can you try and upgrade to SP2 for XP and IE ?
That will replace a lot of system files and might solve the shutdown problem.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP