PSGuard
#31
Posted 17 September 2005 - 06:43 PM
#32
Posted 18 September 2005 - 04:36 AM
Logfile of HijackThis v1.99.1
Scan saved at 4:22:39 AM, on 9/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.is/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123155491921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
#33
Posted 18 September 2005 - 05:26 AM
download this file:
http://www.sophos.com/support/cleaners/sdbotgui.com, DO NOT Run it yet.
++++++++++++++++++++++++++++
Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:
MAPI Mail Client
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.
++++++++++++++++++++++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:
O4 - HKLM\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKCU\..\RunServices: [Compaq32 Service Drivers] msconfig32.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINDOWS\System32\mapi32.exe (file missing)
Make sure to double check the items you have selected, then click Fix Checked.
++++++++++++++++++++++++++++
Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):
MAPI
Click OK.
It should pull up information about the service, then ask if you want to reboot. Click YES.
++++++++++++++++++++++++++++
- open SDBOTGUI
- run it
- then click START SCAN
- After removing the worm you should install the Microsoft patch MS03-039 or, update with all relevant security patches from Windows update.
Microsoft patch MS03-039 - http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
Windows Update - http://windowsupdate.microsoft.com/
Also post the log from C:\resolve.log
Edited by kool808, 18 September 2005 - 05:30 AM.
#34
Posted 19 September 2005 - 03:19 AM
I followed all steps and am still unable to surf the internet unless I activate my ISP's Accelerator program (ISP is Earthlink). Unless I start this before opening an IE page, I get Cannot Find Server.
Here are the requested logs:
Logfile of HijackThis v1.99.1
Scan saved at 3:12:28 AM, on 9/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.is/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123155491921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.18
System scan started at 02:54 on 19 September 2005
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Deleted registry value HKCU\Software\Microsoft\OLE\Compaq32 Service Drivers
Deleted registry value HKLM\Software\Microsoft\OLE\Compaq32 Service Drivers
Deleted registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Compaq32 Service Drivers
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\command.exe
Error opening file C:\hiberfil.sys
Error opening file C:\pagefile.sys
Error opening file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000028.exe
Scanning C:\WINDOWS\System32\drivers\etc
System scan finished at 02:58 on 19 September 2005
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 3
Registry keys changed : 3
Files found : 0
Files deleted : 0
Hope this helps
#35
Posted 19 September 2005 - 04:27 AM
Right click on the Microsoft AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it LATER after the fixes, you follow the same steps but click on Enable Real-time Protection.
+++++++++++++++++++++++++++++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.is/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
Make sure to double check the items you have selected, then click Fix Checked.
NOTE: Did you set that home page? Are you familiar with it? If not then remove it.
reboot in SAFE MODE.
run the SDBOTGUI tool again then post back a new C:\resolve.log
reboot back in NORMAL MODE.
Open Internet Explorer > Tools > Reset Web Settings > put a checkmark on reset homepage > OK.
you need to re-open IE to take effect.
Post back a new hijackthis log.
Edited by kool808, 19 September 2005 - 04:28 AM.
#36
Posted 21 September 2005 - 05:04 AM
More of the same unfortunately. Still unable to surf unless I activate my ISPs accelerator. Where would I find this Microsoft AntiSpyware icon? I can't locate such a program anywhere under my programs list. Here's the logs:
Logfile of HijackThis v1.99.1
Scan saved at 3:43:16 AM, on 9/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\program files\mcafee.com\vso\mcvsshld.exe
C:\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123155491921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Here is the sdbotgui log. I ran this scan with it set to scan all files instead of suspected files:
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.18
System scan started at 02:54 on 19 September 2005
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Deleted registry value HKCU\Software\Microsoft\OLE\Compaq32 Service Drivers
Deleted registry value HKLM\Software\Microsoft\OLE\Compaq32 Service Drivers
Deleted registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Compaq32 Service Drivers
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\command.exe
Error opening file C:\hiberfil.sys
Error opening file C:\pagefile.sys
Error opening file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000028.exe
Scanning C:\WINDOWS\System32\drivers\etc
System scan finished at 02:58 on 19 September 2005
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 3
Registry keys changed : 3
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.18
System scan started at 03:47 on 21 September 2005
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\pagefile.sys
Scanning C:\WINDOWS\System32\drivers\etc
System scan finished at 03:50 on 21 September 2005
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 0
Files deleted : 0
RESOLVE Version 1.07
Copyright © 2004, Sophos Plc, www.sophos.com
System disinfection for W32/Sdbot
Data Version 1.18
System scan started at 04:32 on 21 September 2005
Checking services
Checking for W32/Sdbot in memory
Checking for registry keys affected by W32/Sdbot
Checking for files affected by W32/Sdbot
Scanning C:
Error opening file C:\command.exe
Error opening file C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log
Error opening file C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck
Error opening file C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\46be4b2461c927707882da6c6e199f64_1dce0e75-1303-433a-bfc1-6b582bd25551
Error opening file C:\Documents and Settings\LocalService\Cookies\index.dat
Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Error opening file C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Error opening file C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Error opening file C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Error opening file C:\Documents and Settings\LocalService\NTUSER.DAT
Error opening file C:\Documents and Settings\LocalService\ntuser.dat.LOG
Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Error opening file C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Error opening file C:\Documents and Settings\NetworkService\NTUSER.DAT
Error opening file C:\Documents and Settings\NetworkService\ntuser.dat.LOG
Error opening file C:\Documents and Settings\Xavier\Application Data\Earthlink\6.0\[email protected]\Cookies\index.dat
Error opening file C:\Documents and Settings\Xavier\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
Error opening file C:\Documents and Settings\Xavier\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
Error opening file C:\Documents and Settings\Xavier\Local Settings\History\History.IE5\index.dat
Error opening file C:\Documents and Settings\Xavier\Local Settings\History\History.IE5\MSHist012005092120050922\index.dat
Error opening file C:\Documents and Settings\Xavier\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Error opening file C:\Documents and Settings\Xavier\ntuser.dat
Error opening file C:\Documents and Settings\Xavier\ntuser.dat.LOG
Error opening file C:\hiberfil.sys
Error opening file C:\pagefile.sys
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\output.log
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\benchmark.dat
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\41\f941
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\activeDomains
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\b5\81b5
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\c8\76c8
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\codescache\nonactiveDomains
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\http_cache\headers\_0000_1
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\http_cache\headers\_0000_2
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\http_cache\_0000_1
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\http_cache\_0000_2
Error opening file C:\Program Files\EarthLink TotalAccess\Accelerator\temp\urlsinfo.xls
Error opening file C:\resolve.log
Error opening file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000028.exe
Error opening file C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\change.log
Error opening file C:\WINDOWS\Debug\oakley.log
Error opening file C:\WINDOWS\Debug\PASSWD.LOG
Error opening file C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
Error opening file C:\WINDOWS\SchedLgU.Txt
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SAM
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
Error opening file C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
Error opening file C:\WINDOWS\SYSTEM32\H323LOG.TXT
>>>Virus 'W32/Sdbot-ADC' found in file C:\WINDOWS\SYSTEM32\TFTP2644
File deleted
Error opening file C:\WINDOWS\SYSTEM32\TFTP2928
Error opening file C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR
Error opening file C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA
Scanning C:\WINDOWS\System32\drivers\etc
System scan finished at 04:58 on 21 September 2005
Processes found : 0
Processes terminated or disinfected : 0
Services found : 0
Services removed : 0
Registry keys affected : 0
Registry keys changed : 0
Files found : 1
Files deleted : 1
Edited by Xavier243, 21 September 2005 - 05:34 AM.
#37
Posted 26 September 2005 - 04:04 AM
I am very sorry for the delay. I have been very busy this weeks with my school projects.
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:
O9 - Extra button: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6AD0B080-9B4B-4049-952F-4C2ABB60044E} - (no file) (HKCU)
Make sure to double check the items you have selected, then click Fix Checked.
+++++++++++++++++++++++++
Now lets check some settings on your system.
- Go to Start > Control Panel and double-click on Network Connections
- Then right click on your Default Connection
- Usually Local Area Connection for Cable and DSL
- Left click on Properties.
- Click the Networking tab.
- Double-Click on the Internet Protocol (TCP/IP) item.
- Select the radio dial that says Obtain DNS Servers Automatically.
- Press OK twice to get out of the properties screen and reboot if it asks.
Is your ISP accelerator EarthLink?
#38
Posted 28 September 2005 - 09:37 PM
Hi Xavier,
I am very sorry for the delay. I have been very busy this weeks with my school projects.
No big deal. Work has kept me away from home for a pretty good deal as well, so I haven't had too much free time on my hands.
And my ISP is Earthlink, but I should be ditching that for wireless here in a month or so. I'll provide a follow-up tonight when I get home.
#39
Posted 30 September 2005 - 06:06 AM
Logfile of HijackThis v1.99.1
Scan saved at 4:04:45 AM, on 9/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123155491921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.c...ropper1_4us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ECA (cpanel) - Unknown owner - C:\WINDOWS\javapanel.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users