Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Trojan removal [RESOLVED]

Started by drewrobinson , Jun 24 2005 02:48 PM

  • This topic is locked This topic is locked

#1
drewrobinson
Posted 24 June 2005 - 02:48 PM

drewrobinson

    New Member

  • Member
  • Pip
  • 9 posts
I have tried all of your suggestions nothing works. AVG says I have 4 Trojans. Please help. Thank you. - Andrew


Logfile of HijackThis v1.99.1
Scan saved at 4:46:09 PM, on 6/24/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RAKLLP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [qn4T36P] NCOPRXY2.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rakllp.exe reg_run
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O4 - Startup: nadu.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
  • 0

Advertisements

#2
Guest_usetobe_*
Posted 25 June 2005 - 08:26 AM

Guest_usetobe_*
  • Guest
OK drew,

Please download Cleanup from here:
Cleanup. Do not run it yet.

Run this online virus scan: ActiveScan - Save the results from the scan!

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Then please run HijackThis, click Scan, and check the following, if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [qn4T36P] NCOPRXY2.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rakllp.exe reg_run
O4 - Startup: nadu.exe
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe

Ensure no windows open except HJT and click fix checked.

Now using windows explorer locate and delete the following if found.

C:\WINDOWS\RAKLLP.EXE
C:\WINDOWS\SYSTEM\PSof1.exe
C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
C:\WINDOWS\rakllp.exe reg_run
NCOPRXY2.EXE <<--carry out a search for this one
nadu.exe <<--carry out a search for this.

Now run Cleanup to clear out temp files and junk.

Now reboot normally, rescan with HJT and post a fresh log back, together with the Panda scan.
  • 0

#3
drewrobinson
Posted 25 June 2005 - 11:39 AM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I did as you suggested here is the HijackThis log.......

Logfile of HijackThis v1.99.1
Scan saved at 1:31:33 PM, on 6/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\EXPLORER.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

And the Active Scan.................

Scan finishedScan report


System Files Messages

Scanned Yes 0 1
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0

No viruses have been found. To keep your computer permanently protected against viruses, install the antivirus solution that best suits your needs.

So far AVG has not popped up with any Trojan notices so hopefully this has worked. Thank you so much, I will keep my fingers crossed-LOL!
  • 0

#4
Guest_usetobe_*
Posted 25 June 2005 - 11:52 AM

Guest_usetobe_*
  • Guest
Hi Again,

Not out the wood yet.

Please run the following online virus scan

Kaspersky For company just type anything you like. Save the report it produces.

Then reboot into safe mode, rescan with HJT and check the following entry:

O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart

Ensure no windows open except HJT and click fix checked.

Now using windows explorer locate and delete the following

C:\WINDOWS\SYSTEM\SUPDATE.DLL

Reboot into normal mode, rescan with HJT and post the log back with the Kaspersky log
  • 0

#5
drewrobinson
Posted 25 June 2005 - 05:31 PM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here we go, one odd thing I have noticed maybe it s nothing but every time I reboot your web site is deleted from my "Favorites" list??? Very odd. Any way here is the Kaspersky Log..................

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, June 25, 2005 19:11:36
Operating System: Microsoft Windows Millennium Edition
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 25/06/2005
Kaspersky Anti-Virus database records: 127789
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
a:\
c:\
d:\
m:\

Scan Statistics:
Total number of scanned objects: 42237
Number of viruses found: 5
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 5229 sec

Infected Object Name - Virus Name
c:\WINDOWS\SYSTEM\supdate.dll Infected: Trojan-Downloader.Win32.Qoologic.p
c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
c:\WINDOWS\SYSTEM\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
c:\WINDOWS\SYSTEM\redit.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
c:\WINDOWS\SYSTEM\dist001.exe Infected: Trojan-Downloader.Win32.Agent.qg
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Paylap.ev
c:\Program Files\CasStub\casstub.exe Infected: Trojan-Downloader.Win32.Agent.qg

Scan process completed.

And here is the Hijack this log..........................


Logfile of HijackThis v1.99.1
Scan saved at 7:21:39 PM, on 6/25/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab

Thanks again. -Andrew
  • 0

#6
Guest_usetobe_*
Posted 26 June 2005 - 12:50 AM

Guest_usetobe_*
  • Guest
Hi Again,

Almost there.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0002
c:\WINDOWS\SYSTEM\GSM3-0511.exe/data0003
c:\WINDOWS\SYSTEM\GSM3-0511.exe
c:\WINDOWS\SYSTEM\redit.cpl
c:\WINDOWS\SYSTEM\dist001.exe
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED/UNNAMED/html
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED/UNNAMED
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 10:46:10 -0700]/UNNAMED
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED/UNNAMED/html
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Paylap.ev
c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx/[From "PayPal" <[email protected]>][Date Wed, 22 Jun 2005 20:14:53 -0200]/UNNAMED c:\WINDOWS\Application Data\Identities\{483DAFAC-90F0-49F6-96D9-337DDF5A3E93}\Microsoft\Outlook Express\Deleted Items.dbx
c:\Program Files\CasStub\casstub.exe


* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Let me know how you get on.
  • 0

#7
drewrobinson
Posted 26 June 2005 - 06:27 AM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I did as you said but AVG picked up another Trojan at restart?? Below is the HijackThis log..................

Logfile of HijackThis v1.99.1
Scan saved at 8:24:22 AM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
  • 0

#8
Guest_usetobe_*
Posted 26 June 2005 - 07:22 AM

Guest_usetobe_*
  • Guest
Please disable Spyware Doctor

Copy the files below into notepad

C:\WINDOWS\SYSTEM\SUPDATE.DLL
C:\Program Files\Filseclab\Twister\twister.exe

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.
Whilst your pc is rebooting tap the F8 KEY TO ENTER SAFE MODE

Scan with HJT and check the following:

O4 - HKLM\..\Run: [twister] "C:\Program Files\Filseclab\Twister\twister.exe" -a
X(F) O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart

ensure no windows open and click fix checked

Now Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

Carry out free online virus scan from the following:
F-secure

Rescan with HJT and post the log backntogether with silent runners log, f-secure log and also please identify trojans picked up be AVG.
  • 0

#9
drewrobinson
Posted 26 June 2005 - 11:24 AM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here is the log from AVG

S T Virus name Path Date of detection Filename File size
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0025129.CPY 6/20/2005 2:26:40 PM A0025129.CPY 164.5 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0025129.CPY 6/20/2005 2:27:19 PM A0025129.CPY 164.5 KB
Trojan horse Downloader.Small.44.BW C:\WINDOWS\TEMP\WUPDT.EXE 6/20/2005 11:01:41 PM WUPDT.EXE 33 KB
Trojan horse Downloader.Small.44.BW C:\WINDOWS\TEMP\WUPDT.EXE 6/20/2005 11:10:50 PM WUPDT.EXE 33 KB
Trojan horse Downloader.Small.44.BW C:\WINDOWS\TEMP\WUPDT.EXE 6/21/2005 12:25:56 AM WUPDT.EXE 33 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/21/2005 9:10:02 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.44.BW C:\WINDOWS\TEMP\WUPDT.EXE 6/21/2005 9:25:00 PM WUPDT.EXE 33 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/21/2005 9:57:59 PM UCI.EXE 218 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\ASMS.EXE 6/21/2005 9:59:21 PM ASMS.EXE 223.5 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0028630.CPY 6/21/2005 10:21:02 PM A0028630.CPY 164.5 KB
Trojan horse Dropper.Agent.7.K C:\_RESTORE\TEMP\A0028633.CPY 6/21/2005 10:21:02 PM A0028633.CPY 196 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0028771.CPY 6/21/2005 10:21:02 PM A0028771.CPY 218 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0028774.CPY 6/21/2005 10:21:02 PM A0028774.CPY 223.5 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0027632.CPY 6/21/2005 10:21:03 PM A0027632.CPY 164.5 KB
Trojan horse Dropper.Agent.7.K C:\_RESTORE\TEMP\A0027635.CPY 6/21/2005 10:21:03 PM A0027635.CPY 196 KB
Trojan horse Downloader.Small.15.BS C:\_RESTORE\TEMP\A0027638.CPY 6/21/2005 10:21:03 PM A0027638.CPY 57 KB
Trojan horse Downloader.Apropo.AI C:\_RESTORE\TEMP\A0027699.CPY 6/21/2005 10:21:03 PM A0027699.CPY 244 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/21/2005 10:26:47 PM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F288585.EXE 6/21/2005 10:27:22 PM F288585.EXE 117.5 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/21/2005 10:27:50 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/21/2005 10:28:55 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/21/2005 10:29:59 PM UCI.EXE 218 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/21/2005 11:21:42 PM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/21/2005 11:22:50 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/21/2005 11:23:53 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/21/2005 11:24:59 PM UCI.EXE 218 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\ASMS.EXE 6/21/2005 11:26:02 PM ASMS.EXE 223.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/22/2005 12:48:13 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Downloader.Generic.RR C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\KDYRC9Y3\2.8.7.4[1].EXE 6/22/2005 1:15:24 PM 2.8.7.4[1].EXE 64 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/22/2005 10:30:32 PM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\IM49.EXE 6/22/2005 10:31:24 PM IM49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/22/2005 10:32:26 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/22/2005 10:33:35 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/22/2005 10:37:09 PM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\IM49.EXE 6/22/2005 10:37:53 PM IM49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/22/2005 10:38:56 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/22/2005 10:40:01 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F300381.EXE 6/22/2005 10:40:34 PM F300381.EXE 117.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\IM49.EXE 6/22/2005 11:06:21 PM IM49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/22/2005 11:07:23 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/22/2005 11:08:25 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F296691.EXE 6/22/2005 11:09:00 PM F296691.EXE 117.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/23/2005 8:44:49 AM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/23/2005 8:45:58 AM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\IM49.EXE 6/23/2005 8:47:00 AM IM49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/23/2005 8:48:13 AM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F1591221.EXE 6/23/2005 8:48:42 AM F1591221.EXE 117.5 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/23/2005 8:49:08 AM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/23/2005 8:57:05 AM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\IM49.EXE 6/23/2005 8:57:59 AM IM49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/23/2005 8:59:05 AM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/23/2005 9:00:33 AM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/23/2005 9:01:09 AM UCI.EXE 218 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/23/2005 9:02:16 AM UCI.EXE 218 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/24/2005 2:38:02 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/24/2005 2:39:02 PM UCI.EXE 218 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/24/2005 4:08:48 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE 6/24/2005 5:33:32 PM WRAPPEROUTER.EXE 164.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\INSTALLER_MARKETING49.EXE 6/24/2005 5:33:54 PM INSTALLER_MARKETING49.EXE 62 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE 6/24/2005 5:35:00 PM SSK3_B5 SEEDCORN 4.EXE 57 KB
Trojan horse Dropper.Agent.7.K C:\WINDOWS\SYSTEM\VENTURA5.EXE 6/24/2005 5:36:19 PM VENTURA5.EXE 196 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F287842.EXE 6/24/2005 5:36:36 PM F287842.EXE 117.5 KB
Trojan horse Downloader.Small.15.BS C:\WINDOWS\SYSTEM\UCI.EXE 6/24/2005 5:37:06 PM UCI.EXE 218 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F17089739.EXE 6/24/2005 10:16:37 PM F17089739.EXE 117.5 KB
Trojan horse Downloader.Generic.RR C:\WINDOWS\TEMP\tp7543.exe 6/25/2005 8:25:24 AM tp7543.exe 64 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F59573810.EXE 6/25/2005 10:04:37 AM F59573810.EXE 117.5 KB
Trojan horse Downloader.Generic.VF C:\WINDOWS\TEMP\F285870.EXE 6/25/2005 11:33:17 AM F285870.EXE 117.5 KB

Here is the Silent Runner Log..............

"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MoneyAgent" = ""C:\Program Files\Microsoft Money\System\Money Express.exe"" [MS]
"Taskbar Display Controls" = "RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY" [MS]
"CAS Client" = ""C:\Program Files\Cas\Client\casclient.exe"" [null data]
"Spyware Doctor" = ""C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ScanRegistry" = "C:\WINDOWS\scanregw.exe /autorun" [MS]
"TaskMonitor" = "C:\WINDOWS\taskmon.exe" [MS]
"PCHealth" = "C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"Keyboard Manager" = "C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe" ["Netropa Corp."]
"HPScanPatch" = "C:\WINDOWS\SYSTEM\HPScanFix.exe" ["Hewlett-Packard Company"]
"MMTray" = (empty string)
"hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"]
"Delay" = "C:\WINDOWS\delayrun.exe" [file not found]
"LexStart" = "Lexstart.exe" ["Lexmark International, Inc."]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"SchedulingAgent" = "mstask.exe" [MS]
"SSDPSRV" = "C:\WINDOWS\SYSTEM\ssdpsrv.exe" [MS]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"StillImageMonitor" = "C:\WINDOWS\SYSTEM\STIMON.EXE" [MS]
"KB891711" = "C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe C:\WINDOWS\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 C:\WINDOWS\INF\applets1.inf" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4efb-9B51-7695ECA05670}\(Default) = "Yahoo! Companion BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{e57ce731-33e8-4c51-8354-bb4de9d215d1}" = "Universal Plug and Play Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\UPNPUI.DLL" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{34507538-708C-48FF-BA78-1FFDDF0FF3FA}" = "Twister scan shell extension"
-> {CLSID}\InProcServer32\(Default) = "blank" [file not found]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\My Documents\tower kids.jpg"


Startup items in "Startup" & "All Users...Startup" folders:
-----------------------------------------------------------

C:\WINDOWS\Start Menu\Programs\StartUp
"Dexxa Optical Mouse" -> shortcut to: "C:\Program Files\Dexxa Optical Mouse\scw64.exe" ["("]
"Sprint FastConnect virtual assistant" -> shortcut to: "C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe -boot" ["Motive Communications, Inc."]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\WINDOWS\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
C:\WINDOWS\SYSTEM\mswsosp.dll [MS], 1
C:\WINDOWS\SYSTEM\msafd.dll [MS], 2 - 4
C:\WINDOWS\SYSTEM\rsvpsp.dll [MS], 5 - 6


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" = "Yahoo! Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL" ["Yahoo! Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "MSN Messenger Service"
"Exec" = "C:\PROGRA~1\MESSEN~1\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://hp.my.yahoo.com
[Strings]: MS_START_PAGE_URL="http://www.microsoft...5.5&ar=msnhome"

Missing lines (compared with English-language version):
[Strings]: 2 lines


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


And the F-Secure Log....................

Finished: 1 virus found

Scanned files: 42368 Warning: 1 file(s) still infected!


c:\Recycled\Dc6.dll Trojan-Downloader.Win32.Qoologic.p

I noticed this was in my recycled so I went ahead and emptied it. I will check back a bit later and see if you have made any sense out of this mess. Thanks again - Andrew
  • 0

#10
drewrobinson
Posted 26 June 2005 - 11:26 AM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I forgot to post the HijackThis log, sorry. Here it is.


Logfile of HijackThis v1.99.1
Scan saved at 1:24:37 PM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://hp.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://hp.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
  • 0

Advertisements

#11
Guest_usetobe_*
Posted 26 June 2005 - 01:08 PM

Guest_usetobe_*
  • Guest
Hi Drew,

Most of these are in temp folders or system restore, we will clear temp folders first then once your system is squeeky clean we will clear restore points.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Now copy the paths below into notepad

C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\VENTURA5.EXE
C:\WINDOWS\SYSTEM\UCI.EXE
C:\WINDOWS\SYSTEM\ASMS.EXE
C:\WINDOWS\SYSTEM\WRAPPEROUTER.EXE
C:\WINDOWS\SYSTEM\SSK3_B5 SEEDCORN 4.EXE
C:\WINDOWS\SYSTEM\IM49.EXE
C:\WINDOWS\SYSTEM\INSTALLER_MARKETING49.EXE
C:\WINDOWS\TEMP\F285870.EXE

Boot into Safe mode

Disable spyware doctor

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your PC does not reboot automatically, reboot it manually.

Rescan with HJT and post the log back
  • 0

#12
drewrobinson
Posted 26 June 2005 - 02:37 PM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here is the new HijackThis log...........

Logfile of HijackThis v1.99.1
Scan saved at 4:34:50 PM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
  • 0

#13
Guest_usetobe_*
Posted 26 June 2005 - 02:59 PM

Guest_usetobe_*
  • Guest
Rebot into SAFE MODE, rescan with HJT, check the following entry

O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"

Ensure no windows open except HJT and click fix checked.

Ensure pc set up to show hidden files and using windows explorer locate and delete the following file if found

C:\Program Files\Cas\Client\casclient.exe

Reboot PC normally, carry out a scan of pc using your AVG anti virus. Save any log it produces if it finds anything.

Rescan with HJT and post the log back
  • 0

#14
drewrobinson
Posted 26 June 2005 - 05:12 PM

drewrobinson

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok here is the AVG log - seems to be clean..........

Object Result Status
Partition table (MBR) ok Quick checked
Boot sector of disk C: ok Quick checked
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
C:\PROGRA~1\ACCESS~1\WORDPAD.EXE ok Quick checked
C:\PROGRA~1\GRISOFT\AVGFRE~1\avgamsvr.exe ok Quick checked
C:\PROGRA~1\GRISOFT\AVGFRE~1\avgcc.exe ok Quick checked
C:\PROGRA~1\GRISOFT\AVGFRE~1\avgemc.exe ok Quick checked
C:\PROGRA~1\INTERN~1\IEXPLORE.EXE ok Quick checked
C:\Program Files\Microsoft Money\System\Money Express.exe ok Quick checked
C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe ok Quick checked
C:\WINDOWS\NOTEPAD.EXE ok Quick checked
C:\WINDOWS\PCHealth\Support\PCHSCHD.EXE ok Quick checked
C:\WINDOWS\REGEDIT.EXE ok Quick checked
C:\WINDOWS\RUNDLL.EXE ok Quick checked
C:\WINDOWS\RUNDLL32.EXE ok Quick checked
C:\WINDOWS\SCANREGW.EXE ok Quick checked
C:\WINDOWS\SYSTEM\HPScanFix.exe ok Quick checked
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE ok Quick checked
C:\WINDOWS\SYSTEM\LEXSTART.EXE ok Quick checked
C:\WINDOWS\SYSTEM\MSHTA.EXE ok Quick checked
C:\WINDOWS\SYSTEM\MSTASK.EXE ok Quick checked
C:\WINDOWS\SYSTEM\SHELL32.DLL ok Quick checked
C:\WINDOWS\SYSTEM\SHIMGVW.DLL ok Quick checked
C:\WINDOWS\SYSTEM\SSDPSRV.EXE ok Quick checked
C:\WINDOWS\SYSTEM\STIMON.EXE ok Quick checked
C:\WINDOWS\SYSTEM\SYSTRAY.EXE ok Quick checked
C:\WINDOWS\System\Restore\STATEMGR.EXE ok Quick checked
C:\WINDOWS\TASKMON.EXE ok Quick checked
c:\windows\system\hpsysdrv.exe ok Quick checked
C:\WINDOWS\SYSTEM\kernel32.dll ok Quick checked
C:\WINDOWS\SYSTEM\wsock32.dll ok Quick checked
C:\WINDOWS\SYSTEM\user32.dll ok Quick checked
C:\WINDOWS\SYSTEM\shell32.dll ok Quick checked

And the HijackThis log............

Logfile of HijackThis v1.99.1
Scan saved at 7:07:15 PM, on 6/26/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\DEXXA OPTICAL MOUSE\SCW64.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGWB.DAT
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com...rch/search.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5_6_2_0.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Dexxa Optical Mouse.lnk = C:\Program Files\Dexxa Optical Mouse\scw64.exe
O4 - Startup: Sprint FastConnect virtual assistant.lnk = C:\Program Files\Sprint Virtual Assistant\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.game...s/y/mjst4_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
  • 0

#15
Guest_usetobe_*
Posted 27 June 2005 - 01:05 AM

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP