Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

is TROJAN/bloodhound gone? [resolved]


  • This topic is locked This topic is locked

#31
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Is this it?

Files\rkfiles\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
D:\WINDOWS\system32\lame_enc.dll: UPX!
D:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
D:\WINDOWS\tsc.exe: UPX!
D:\WINDOWS\vsapi32.dll: UPX!t4
Finished
  • 0

Advertisements


#32
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I'm running out of options.

Please tell me:

1. What were the original reasons (signs of infections) that brought you here?
2. What specific problems are you having now besides the keyboard problems?
3. Give me a hijack this log and a panda scan contents scan again. I am going to figure this out, but I need that information.

Thanks-
cw :tazz:
  • 0

#33
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
not looking good huh? I really appreciate your work cw.




Incident Status Location

Adware:adware/twain-tech No disinfected D:\WINDOWS\smdat32m.sys
Adware:adware/gator No disinfected D:\PROGRAM FILES\COMMON FILES\CMEII
Adware:adware/p2pnetworking No disinfected HKEY_CURRENT_USER\SOFTWARE\P2P NETWORKING
Adware:adware/sbsoft No disinfected HKEY_CURRENT_USER\SOFTWARE\SEARCHTOOLBAR
Spyware:spyware/wareout No disinfected HKEY_CURRENT_USER\SOFTWARE\WAREOUT
Spyware:spyware/altnet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOPSEARCH.TSLINK
Adware:adware/need2find No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND
Adware:adware/looksmart No disinfected HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}
Adware:Adware/P2PNetworking No disinfected D:\WINDOWS\system32\P2P Networking v126.cpl



-------------


HijackThis v1.99.1
Scan saved at 9:59:02 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\sistray.EXE
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
D:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
D:\Program Files\eFax Messenger 4.0\J2GTray.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\WINDOWS\system32\NOTEPAD.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe acroreader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] D:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] D:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe acroreader\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = D:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = D:\Program Files\eFax Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: .nmfisead - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#34
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You're doing fine. I will be away from the computer until late tonight.
I found a fix, but I have got to get some work done. Take the night off. :tazz:
  • 0

#35
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Copy the filepaths below and paste them into notepad. Save it to desktop

D:\WINDOWS\smdat32m.sys
D:\PROGRAM FILES\COMMON FILES\CMEII
D:\WINDOWS\system32\P2P Networking


* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\P2P NETWORKING]

[-HKEY_CURRENT_USER\SOFTWARE\SEARCHTOOLBAR]

[-HKEY_CURRENT_USER\SOFTWARE\WAREOUT]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOPSEARCH.TSLINK]

[-HKEY_LOCAL_MACHINE\SOFTWARE\NEED2FIND]

[-HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}]

Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.

Reboot your computer INTO safe mode.

Rescan with HJT and check the following entries if present:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe (file missing)

O23 - Service: .nmfisead - - (no file)


Ensure no windows open except HJT and click fix checked.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Rescan with HJT and post the log back
  • 0

#36
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi cw,

I feel terrible about all the hard work you're putting in for me. I will gladly donate to your cause as soon as i get my landlord paid :tazz:

i was fine until killbox. it's saving as exe and not zip and wont run. is it me?
  • 0

#37
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Sorry about it not being the zip form. Just run the exe program and place it on your desktop. Sorry. :tazz:
  • 0

#38
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I feel like a pro :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:28 AM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\sistray.EXE
D:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\adobe acroreader\Reader\reader_sl.exe
D:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
D:\Program Files\eFax Messenger 4.0\J2GTray.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe acroreader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] D:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] D:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] D:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe acroreader\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = D:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = D:\Program Files\eFax Messenger 4.0\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast...ostClientIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O23 - Service: .nmfisead - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#39
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Are you running Norton anti-viral and AVG? Please only use one anti-viral product.

How is it running? You did really, really well. :tazz:
  • 0

#40
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hiya, I removed norton a couple weeks ago. is it showing up still?

typing is still messed up. is it hopeless? i always took my keyboard for granted, never again. :tazz:
  • 0

Advertisements


#41
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Go to task manager (control >>alt>> delete) and end this process and any others that are norton related.

D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

When you say the keyboard is messed up, what do you mean? Sometimes you can hit the Fn key and when you push the "j" button, you get a 1. that's how it works on my keyboard.
  • 0

#42
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
k, i ended the process. The keys just dont register unless i hold each letter down two seconds. took three minutes to write this :tazz:

it's like comp's brain is stuttering but unlike normal when a comp does that and you hit 's' three times, comp catches up with 'sss' , not here, press 's' five times, when comp catches up you just get one 's'.


I had a vid card installed the same time i got virus. is it possible vid card is draining comp or comp output isn't set correctly? because it works/types perfectly when patched into everquest.

Enigma! ;)
  • 0

#43
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What is everquest?

And you've tried another keyboard?

Is the keyboard you're using the same one you've used forever? What keyboard is it?
  • 0

#44
rivianprods

rivianprods

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Holy schmoly! I turned off the computer last night and rebooted this morning and it works perfectly!!!!! You performed a miracle!!! It's scary but i'm going to try it out for the day and see if anything changes. It only took me ten seconds to write this <<<<< haha

You are gooood at what you do. I really respect that. I look forward to donating to your cause, it wont be what you deserve but i promise to do what i can. :tazz: :help: ;) ;)
  • 0

#45
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
I am thrilled that it's working! :tazz:

I will keep this topic open for a few days just in case you run intoproblems (fingers crossed). Have a good weekend. ;)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP