Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Smitfraud issues

Started by ejm93 , Jun 22 2005 04:32 AM

  • Please log in to reply

#1
ejm93
Posted 22 June 2005 - 04:32 AM

ejm93

    Member

  • Member
  • PipPip
  • 24 posts
Ran Hijack this and here's my log..

Any ideas?

Computer is running alright.. have the blue screen, most programs when I shut them down I get an error message, Application Error, "memory could not be read". Can't use ctrl+alt+del and when I try running taskmgr, says it's in use by another program.

Keep doing virus and ware scans and keep deleting files, firewall keeps blocking connections.. I'm running but, not too well!

Edited to add, I sorted out the ctrl+alt+del/taskmgr issue. I also sorted out the background issue. Now my major issue is the "memory could not be read" issue. My computer keeps finding viruses and I keep deleting them and more keep coming back.. sigh.

Anyways.. here's the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 6:27:15 AM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\system32\init32ym.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\winupdates\winupdates.exe
C:\WINDOWS\system32\winldra.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe init32ym.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\system32\msiev32.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://se.no-ip.com/...hecker_6100.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co.../ysb_cheatx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106258708390
O16 - DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - http://service.sympa...re/codebaby.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartph...x/PCAXSetup.cab?
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Edited by ejm93, 22 June 2005 - 08:42 AM.

  • 0

Advertisements

#2
Wizard
Posted 22 June 2005 - 07:11 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi ejm93 and Welcome!

If you will,please send me a copy of this file

C:\WINDOWS\system32\init32ym.exe

You may need to have Windows Configured to Show Hidden files in order to find it!
http://www.bleepingc...torial=62#winxp

Locate init32ym.exe then right click the file and select "Send to" and then select compressed(Zipped)Folder

Email that Zipped Folder here>> [email protected]

Once you have sent it,delete the Zip folder and Download this Reg Search Tool

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter init32ym.exe into the Search Box and Save the Results!

Please Download the MWAV Scanner from Here

Unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update!

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!

When you see "Updates downloaded Successfully"

Please Press Enter to Continue!

It should open automatically>Leave the "Default Settings ticked" and add a "tick" "Drives">this will light up "All Drives">Click "Scan Clean" to begin!

This Scan will take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

Once the Scan has finished,All entries Identified as Infected will displayed in the lower pane!

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it!

Post those results along with a fresh HijackThis log and the Results from the Reg Search!

Edited by Cretemonster, 22 June 2005 - 07:12 PM.

  • 0

#3
ejm93
Posted 22 June 2005 - 08:00 PM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
That was quick... here you go:

REGISTRY LOG -

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "init32ym.exe" 6/22/2005 10:14:12 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-854245398-1614895754-725345543-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"C:\\WINDOWS\\system32\\init32ym.exe"="init32ym"


VIRUS LOG INFORMATION -

File C:\WINDOWS\winsms.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\WINDOWS\dvpd.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\WINDOWS\prntsvra.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\vtd_16.exe infected by "Backdoor.Win32.Haxdoor.dj" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\draw32.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

HIJACKTHIS LOG -

Logfile of HijackThis v1.99.1
Scan saved at 10:22:41 PM, on 6/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Kaspersky\mwavscan.com
C:\Kaspersky\kavss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://se.no-ip.com/...hecker_6100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106258708390
O16 - DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - http://service.sympa...re/codebaby.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartph...x/PCAXSetup.cab?
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Edited by ejm93, 22 June 2005 - 08:23 PM.

  • 0

#4
ejm93
Posted 22 June 2005 - 08:28 PM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Just realized I forgot to click "Drive" for the virus scanner (eScan) so, I'm doing it again, will post with THAT log as soon as it's complete (so far, one trojan found and says it was deleted).

Here you go..
VIRUS LOG INFORMATION (for all of drive C)-

File C:\WINDOWS\system32\drivers\etc\hosts infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052855.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052900.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052901.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052902.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052903.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052904.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052905.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052906.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052907.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052908.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052909.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052910.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052911.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052912.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622052913.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622053344.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110851.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110900.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110912.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110921.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110931.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110943.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622110954.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111002.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111009.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111018.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111028.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111049.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111103.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111123.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111141.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111201.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111211.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111221.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111230.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111239.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622111253.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622132416.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622144924.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622221952.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\Program Files\Common Files\PestPatrol\Quarantine\20050622221955.zip infected by "Trojan.Win32.Qhost" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000013.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000014.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000016.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000030.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000031.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000033.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000048.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000049.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000051.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000082.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000083.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000084.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000095.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000096.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000098.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000158.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000159.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000168.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000175.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000176.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000187.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000223.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000225.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000226.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000247.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000259.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000260.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000269.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000281.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000282.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000291.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000305.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000306.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000315.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000374.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000378.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000380.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000386.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000388.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000396.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000402.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000403.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000412.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000486.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000490.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000496.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000502.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000503.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000512.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000523.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000525.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP2\A0000527.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000564.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000566.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000567.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000591.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000593.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0000594.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001590.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001591.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001610.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001624.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001626.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001627.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001645.dll infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001646.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP3\A0001648.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007932.DLL infected by "Backdoor.Win32.Dumador.cb" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007933.dll infected by "Backdoor.Win32.Dumador.ce" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007934.dll infected by "Backdoor.Win32.Small.fm" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007937.exe infected by "Backdoor.Win32.Haxdoor.dj" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007938.dll infected by "BkCln.Unknown" Virus. Action Taken: File Renamed.

Edited by ejm93, 22 June 2005 - 09:24 PM.

  • 0

#5
Wizard
Posted 23 June 2005 - 03:04 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,looks like MWAV did a fine job for us!!

Please Locate and Delete C:\Windows\Web\desktop.html and C:\WINDOWS\desktop.html

Please Download Spywad Regonly.exe to your C:\ Drive ( This MUST run from the C:\ drive in order to work)
http://www.bleepingc...-2k-Regonly.zip

Unzip and be sure to "Extract All Files"

Double Click "Clean Spywad Regonly.exe" This should automatically open the "Clean Spywad Regonly" folder!

Double Click on the "Reg only XP2k Spywad.vbs" (Please DO NOT run any of the other files until asked)

If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

If you get a message when you first run it, just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

Once that is completed, If there are any other Users on the System,they will need to log in under that User Name to clean up their desktop and regain the right click.

Included is another vbs to do this. It is named "Other Profiles Regfix.vbs"

Have each User sign in and run "Other Profiles Regfix.vbs"
Locate C:\Clean Spywad Regonly folder> Double click on Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5

You will need to do this step for every user account

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...torial=62#winxp

Open the Search Assistant(Click Start >> Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders

Now under All Files and Folders,enter this into the text box:

winsms

dvpd

prntsvra

vtd_16

draw32

init32ym

winldra

Delete any exact matches of the filenames listed above!

Locate and Delete this folder!

C:\Program Files\winupdates<< The entire winupdates folder please!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

RIGHT-CLICK HERE and go to Save As (in IE it's "Save Target As") in order to download the smitfraud reg to your desktop.

Double-click smitfraud.reg on your desktop. When asked if you want to merge with the registry click YES.

Restart the PC once more and Post back with the report from Panda and a fresh HijackThis log!
  • 0

#6
ejm93
Posted 23 June 2005 - 10:30 AM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
When searching and deleting the files, I also had to unclick the option so I could see Windows System files (or whatever it was.. the recommended option.. same window as show hidden).

I tried running ActiveScan but, couldn't run it. When the page came up to select what I wanted to scan, on the bottom of the window, I got "Error on page" if I clicked and held my mouse over what I wanted to scan, it said, "java script: ActiveScan(0);"

So, I ran Ewido (updated) and here's the log:
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:25:00 PM, 6/23/2005
+ Report-Checksum: 222428C7

+ Date of database: 6/23/2005
+ Version of scan engine: v3.0

+ Duration: 41 min
+ Scanned Files: 72001
+ Speed: 28.94 Files/Second
+ Infected files: 8
+ Removed files: 8
+ Files put in quarantine: 8
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\sys462.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000017.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP1\A0000034.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP4\A0001789.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP8\A0007878.dll -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007937.exe.mwt -> Backdoor.Haxdoor.dj -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007956.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{1CE0F49C-E38B-4D61-BDBE-6A03EB0F5CEF}\RP9\A0007969.exe -> TrojanDownloader.Small.aou -> Cleaned with backup


::Report End

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:29:13 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://se.no-ip.com/...hecker_6100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106258708390
O16 - DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - http://service.sympa...re/codebaby.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartph...x/PCAXSetup.cab?
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
  • 0

#7
Wizard
Posted 23 June 2005 - 07:14 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
How is the PC acting and how is your desktop looking?

OK,I need you to download and run Silent Runners:
http://www.silentrun...ent Runners.zip

Unzip it and select Extract all files!

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

It will start scanning the System,be patient,it takes a bit!

Once Completed,it will produce a Notepad page,I need you to Copy&Paste those results into your next post!
  • 0

#8
ejm93
Posted 23 June 2005 - 08:37 PM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"SetDefPrt" = "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" ["Zero-Knowledge Systems Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ {++}
EXECUTION UNLIKELY: "Registrando Panda ActiveX" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll" [MS]
EXECUTION UNLIKELY: "Registrando Panda Almacen" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll" [MS]
EXECUTION UNLIKELY: "Registering ActiveScan controles" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\ascontrol.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" ["Zero-Knowledge Systems Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
  • 0

#9
Wizard
Posted 23 June 2005 - 09:45 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
That Scan is incomplete,it takes a while to run and will produce a notpad page when completed!
  • 0

#10
ejm93
Posted 23 June 2005 - 09:52 PM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Sorry about that.. here you go! :tazz:


"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"PaperPort PTD" = "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" ["ScanSoft, Inc."]
"IndexSearch" = "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" ["ScanSoft, Inc."]
"SetDefPrt" = "C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe" ["Brother Industories, Ltd."]
"ControlCenter2.0" = "C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun" ["Brother Industries, Ltd."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"Freedom" = "C:\Program Files\Zero Knowledge\Freedom\Freedom.exe" ["Zero-Knowledge Systems Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup\ {++}
EXECUTION UNLIKELY: "Registrando Panda ActiveX" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\as.dll" [MS]
EXECUTION UNLIKELY: "Registrando Panda Almacen" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\pavpz.dll" [MS]
EXECUTION UNLIKELY: "Registering ActiveScan controles" = "C:\WINDOWS\system32\regsvr32.exe /s C:\WINDOWS\system32\ActiveScan\ascontrol.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{3C060EA2-E6A9-4E49-A530-D4657B8C449A}\(Default) = "Pop-Up Blocker BHO"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Zero Knowledge\Freedom\pkR.dll" ["Zero-Knowledge Systems Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = "MSNToolBandBHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Dell Valued Customer\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Startup items in "Dell Valued Customer" & "All Users" startup folders:
----------------------------------------------------------------------

C:\Documents and Settings\Dell Valued Customer\Start Menu\Programs\Startup
"LimeWire On Startup" -> shortcut to: "C:\Program Files\LimeWire\LimeWire.exe -startup" ["Lime Wire, LLC"]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Status Monitor" -> shortcut to: "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe Brother MFC-210C /STARTUP" ["Brother Industries, Ltd."]
"NetAssistant" -> shortcut to: "C:\Program Files\NetAssistant\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Sonic CinePlayer Quick Launch" -> shortcut to: "C:\Program Files\Common Files\Sonic Shared\cinetray.exe" ["Sonic Solutions"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll" ["Sun Microsystems, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Brother Popup Suspend service for Resource manager, brmfrmps, ""C:\WINDOWS\system32\Brmfrmps.exe" -service " ["Brother Industries, Ltd."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\system32\brsvc01a.exe" ["brother Industries Ltd"]
Diskeeper, Diskeeper, "C:\Program Files\Executive Software\DiskeeperLite\DKService.exe" ["Executive Software International, Inc."]
DvpApi, dvpapi, ""C:\Program Files\Common Files\Command Software\dvpapi.exe"" ["Command Software Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
HTTP SSL, HTTPFilter, "C:\WINDOWS\System32\svchost.exe -k HTTPFilter" {"C:\WINDOWS\System32\w3ssl.dll" [MS]}
iPod Service, iPodService, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Computer, Inc."]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

Advertisements

#11
Wizard
Posted 24 June 2005 - 03:33 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Things are looking much better now,How is the PC running?
  • 0

#12
ejm93
Posted 24 June 2005 - 05:38 AM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
It's running great again. I have two antivirus programs scanning in livetime.. I've had the odd virus picked up, usually on reboot but, nothing in the last reboot or two. Both are updated and sometimes one catches things, sometimes the other does.

Thanks for all your help! :tazz:
  • 0

#13
ejm93
Posted 24 June 2005 - 10:56 AM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
OK - I lied!! The virus that keeps popping up is found in draw32.dll (which I erased before).. I keep clicking to clean and/or delete the file and every time I reboot it's there.

Also, now I'm having issues with burning CD's.. not sure if it's something in one of the registries (with my driver) or what but, never had a problem before.. GAH.

Now it won't read anything from my DCD/RW drive.. going to post over in the hardware forum.. but, maybe there is something in the registry or something the virus did? I didn't do anything, just tried to make some CD's.. didn't work, thought it was an iTunes error, repaired iTunes (add/remove programs).. still didn't work.. tried Nero and now it won't even read a blank disk in the drive.

Edited by ejm93, 24 June 2005 - 12:26 PM.

  • 0

#14
ejm93
Posted 24 June 2005 - 12:39 PM

ejm93

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Just ran a scan in NoAdware v3.0.. I whole bunch of new viruses popped up (Dangerous and Severe were their ratings). They were all deleted.. I looked around and didn't see where there was a log so, couldn't copy/paste.

A new HiJackThis log is here:

Logfile of HijackThis v1.99.1
Scan saved at 2:39:13 PM, on 6/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Sonic Shared\cinetray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Sonic CinePlayer Quick Launch.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1DB93715-3B60-43EE-93E6-279BB3E1DF76} (OCXDownloadChecker Control) - http://se.no-ip.com/...hecker_6100.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1106258708390
O16 - DPF: {894B8712-11F1-48A7-899F-36D6C695D9D8} - http://service.sympa...re/codebaby.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} - http://www.freedom.n...cabs/cssweb.cab
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FC} (PCUploader Class) - http://www.walmartph...x/PCAXSetup.cab?
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
  • 0

#15
Wizard
Posted 24 June 2005 - 12:42 PM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,we will deal with the CD Burning later,right now I am concerned about Backdoor.Haxdoor which is what the draw32.dll is all about!

I need to see some more Info!

Go here
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

Enter each of these and Save the Results!

draw32

vdnt32

MEMLOW

Post those results as soon as you can!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP