Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TROJAN ATTACK? [CLOSED]


  • This topic is locked This topic is locked

#1
ldbonner

ldbonner

    Member

  • Member
  • PipPip
  • 37 posts
My computer is flagging errors that look like TROJAN infections.
I have tried to research these but am only finding GERMAN results via google.

Can you help me track and clean this?

1 *--C:\WINDOWS\DPVSETUP.EXE
---Is the Trojan horse TR/StartPage.nv

2 ---Trojan horse TR/Dldr.IstBar.GT

3 *--C:\SYSTEM VOLUME INFORMATION\_RESTORE{871A11B1-C095-4414-83C2-A7A809CFE54A}\RP125\A0085879.EXE
--- Trojan horse TR/Drop.Mudro.o.3.A

4*--C:\WINDOWS\SYSTEM32\RANDRECO.EXE
---Is the Trojan horse TR/Dldr.Bety.A

5*---C:\WINDOWS\SYSTEM32\SAIE321.DLL
---Is the Trojan horse TR/LowZones.B

Edited by ldbonner, 03 July 2005 - 09:48 AM.

  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please click on the link below and follow the instructions

Click Here
  • 0

#3
ldbonner

ldbonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Spybot - DONE
Cleaner - DONE

CWSHREDDER

**** Run Keys ****

RUN: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
RUN: [BCMSMMSG] BCMSMMSG.exe
RUN: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
RUN: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
RUN: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
RUN: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
RUN: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
RUN: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
RUN: [frJjqlPdp] C:\documents and settings\doug\local settings\temp\frJjqlPdp.exe
RUN: [IaDh] C:\documents and settings\doug\local settings\temp\IaDh.exe
RUN: [optionmathexitdownload] C:\Documents and Settings\All Users\Application Data\burn log option math\Plus fast.exe
RUN: [WorkFlow] D:\Install\WorkFlow.exe
RUN: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
RUN: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
RUN: [Sign license fast heck] C:\Documents and Settings\All Users\Application Data\Sixthbluesignlicense\wmahole.exe
RUN: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
RUN: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
RUN: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
RUN: [Hatr] C:\Program Files\raau\eiap.exe


**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
BHO: [AcroIEHlprObj Class] C:\Program Files\Hijack\Spybot - Search & Destroy\SDHelper.dll
BHO: [AcroIEHlprObj Class] C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
BHO: [AcroIEHlprObj Class] C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe


**** IE Toolbars ****



**** IE Extensions ****

IEExt: []
IEExt: [Research]
IEExt: [Real.com]
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS:


**** IE Settings ****

Default Search: http://www.msn.com/access/allinone.htm
Local Page: C:\WINDOWS\system32\blank.htm
Search Bar: http://minisearch.startnow.com/
Search Page: http://minisearch.startnow.com/


**** IE Context Menu (Right click) ****

IEContext: [E&xport to Microsoft Excel] res://C:\PROGRA~1\MICROS~2\2003\FRONTP~1\OFFICE11\EXCEL.EXE/3000
IEContext: [Open Picture in &Microsoft PhotoDraw] res://C:\PROGRA~1\MICROS~2\PHOTOD~1\Office\1033\phdintl.dll/phdContext.htm


**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3BBF674C-1113-41D3-B7DF-E12A5AB9EF53}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{3BBF674C-1113-41D3-B7DF-E12A5AB9EF53}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB458613-4778-4C16-92F4-0450C437C848}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{FB458613-4778-4C16-92F4-0450C437C848}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{74046427-157B-460E-8CF1-35C9520B9896}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{74046427-157B-460E-8CF1-35C9520B9896}] DATAGRAM 2


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{02BCC737-B171-4746-94C9-0D8A0B2C0089} [http://office.micros...es/ieawsdc.cab] C:\Program Files\Microsoft Office\2003\frontpage\OFFICE11\IEAWSDC.DLL
{166B1BCA-3F9C-11CF-8075-444553540000} [http://download.macr...irector/sw.cab]
{3A7FE611-1994-4EF1-A09F-99456752289D} [http://install.wildt...veLauncher.cab]
{3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} [http://office.micros...tent/opuc2.cab]
{6414512B-B978-451D-A0D8-FCFDF33E833C} [http://v5.windowsupd...?1099078463317]
{8AD9C840-044E-11D1-B3E9-00805F499D93} [http://java.sun.com/...ndows-i586.cab]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://www.pandasoft...as5/asinst.cab]
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} [http://java.sun.com/...ndows-i586.cab]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macr...sh/swflash.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AntiVirService] "C:\Program Files\AVPersonal\AVGUARD.EXE"
[AOL ACS] C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[aspnet_state] %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[AVWUpSrv] "C:\Program Files\AVPersonal\AVWUPSRV.EXE"
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[Macromedia Licensing Service] "C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe"
[MDM] "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NetSvc] C:\Program Files\Intel\NCS\Sync\NetSvc.exe
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[ose] "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RegSrvc] C:\WINDOWS\System32\RegSrvc.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[S24EventMonitor] C:\WINDOWS\System32\S24EvMon.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{C5FB8532-125D-41BE-B56F-D0971F666F8B}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[UMWdf] C:\WINDOWS\system32\wdfmgr.exe
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WANMiniportService] "C:\WINDOWS\wanmpsvc.exe"
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WLTRYSVC] %SystemRoot%\System32\wltrysvc.exe %SystemRoot%\System32\bcmwltry.exe
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [CustomizeSearch] http://minisearch.startnow.com/
SEARCH: [Default_Search_URL] http://www.msn.com/access/allinone.htm
SEARCH: [Local Page] http://www.startnow.com/
SEARCH: [SearchAssistant_bak] http://ie.search.msn...st/srchasst.htm
SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchasst.htm
SEARCH: [Default_Search_URL] http://www.msn.com/access/allinone.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] no
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.startnow.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [AddToFavoritesExpanded]
IEOPT: [AutoSearch]
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [HistoryViewType]
IEOPT: [StatusBarOther]
IEOPT: [HistoryTopNSitesView]
IEOPT: [Search Bar] http://minisearch.startnow.com/
IEOPT: [Search Page] http://minisearch.startnow.com/
IEOPT: [Default_Search_URL] http://www.msn.com/access/allinone.htm
IEOPT: [Search Bar_bak] http://www.msn.com/access/allinone.htm
IEOPT: [Search Page_bak] www.google.com
IEOPT: [Use Search Assistant] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Error Dlg Details Pane Open] no
IEOPT: [Use Search Asst] yes
IEOPT: [Friendly http errors] yes
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.google.com/
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Check_Associations] yes
IEOPT: [Default_Search_URL] http://www.msn.com/access/allinone.htm
IEOPT: [] yes


EIWIDO
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:37:22 PM, 7/3/2005
+ Report-Checksum: 19605186

+ Date of database: 7/3/2005
+ Version of scan engine: v3.0

+ Duration: 107 min
+ Scanned Files: 246907
+ Speed: 38.14 Files/Second
+ Infected files: 16
+ Removed files: 16
+ Files put in quarantine: 16
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\All Users\Documents\_old hard drive\Documents and Settings\Citadel\Desktop\Games\New Folder\MallTycoon2Setup-dm.exe -> Spyware.Trymedia.a -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/1 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/2 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/3 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/5 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/6 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/7 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\XoftSpy\Quarantine\XoftSpyBackup.zip/8 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00798028.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00798029.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00798030.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00798031.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\RECYCLER\NPROTECT\00798032.TXT -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\system32\unregister.exe -> Spyware.VB.f -> Cleaned with backup
C:\WINDOWS\system32\ехplorer.exe -> Spyware.PurityScan -> Cleaned with backup


::Report End




HIJACK LOG

Logfile of HijackThis v1.99.1
Scan saved at 1:43:54 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Microsoft Office\2003\frontpage\OFFICE11\ONENOTEM.EXE
C:\Program Files\Download\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Doug\Desktop\Download folder1\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Hijack\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9C011D13-1F6B-A67F-AE44-A63F5210DC43} - C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
O2 - BHO: (no name) - {B6FA6668-5FED-FF9F-F44B-67281F4E8173} - C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [frJjqlPdp] C:\documents and settings\doug\local settings\temp\frJjqlPdp.exe
O4 - HKLM\..\Run: [IaDh] C:\documents and settings\doug\local settings\temp\IaDh.exe
O4 - HKLM\..\Run: [optionmathexitdownload] C:\Documents and Settings\All Users\Application Data\burn log option math\Plus fast.exe
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Sign license fast heck] C:\Documents and Settings\All Users\Application Data\Sixthbluesignlicense\wmahole.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Hatr] C:\Program Files\raau\eiap.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\2003\frontpage\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\2003\frontpage\Office10\OSA.EXE
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Download\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\2003\FRONTP~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\PHOTOD~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\2003\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099078463317
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



LD

Edited by ldbonner, 03 July 2005 - 12:44 PM.

  • 0

#4
ldbonner

ldbonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Malware removal completed - Next step please.

Your help is greatly appreciated.

LD
  • 0

#5
Guest_usetobe_*

Guest_usetobe_*
  • Guest
OK here we go.

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

[*]Launch ewido, there should be a big E icon on your desktop, double-click it.
[*]The program will prompt you to update click the OK button
[*]The program will now go to the main screen
[/list]You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
After the updates are installed, exit Ewido

Please download Cleanup from here:
Cleanup. Do not run it yet.

Set up PC to show hidden files.(Click link if you do not know how)
Show hidden files

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Scan local drives for temporary files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

After Cleanup! is finished:
  • Run Ewido.
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "clean", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report[list]
[*]Click Save report
[*]Save the report to your desktop
[*]Exit Ewido

Now scan with HJT and check the following entries if they still exist:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://minisearch.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {9C011D13-1F6B-A67F-AE44-A63F5210DC43} - C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
O2 - BHO: (no name) - {B6FA6668-5FED-FF9F-F44B-67281F4E8173} - C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [frJjqlPdp] C:\documents and settings\doug\local settings\temp\frJjqlPdp.exe
O4 - HKLM\..\Run: [IaDh] C:\documents and settings\doug\local settings\temp\IaDh.exe
O4 - HKLM\..\Run: [optionmathexitdownload] C:\Documents and Settings\All Users\Application Data\burn log option math\Plus fast.exe
O4 - HKLM\..\Run: [Sign license fast heck] C:\Documents and Settings\All Users\Application Data\Sixthbluesignlicense\wmahole.exe
O4 - HKCU\..\Run: [Hatr] C:\Program Files\raau\eiap.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildt...iveLauncher.cab


Ensure no windows open except HJT and click fix checked

Using windows explorer locate and delete the following file if found

C:\DOCUME~1\Doug\APPLIC~1\LONGWA~1\Mail okay.exe
C:\Program Files\Parallel Tasking\ptask.exe
C:\documents and settings\doug\local settings\temp\frJjqlPdp.exe
C:\documents and settings\doug\local settings\temp\IaDh.exe
C:\Documents and Settings\All Users\Application Data\burn log option math\Plus fast.exe
C:\Documents and Settings\All Users\Application Data\Sixthbluesignlicense\wmahole.exe
C:\Program Files\raau\eiap.exe
C:\WINDOWS\system32\Shdocvw.dll


Now reboot pc normally.

Run this online virus scan: ActiveScan - Save the results from the scan!

Rescan with HJT and post the log back, with the ewido and panda logs.
  • 0

#6
ldbonner

ldbonner

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:46:35 PM, on 7/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0a\aoltray.exe
C:\Program Files\Download\Trojan Guarder Gold Version\Trojan Guarder.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Microsoft Office\2003\frontpage\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\WINDOWS\system32\Notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Doug\Desktop\Download folder1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Hijack\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WorkFlow] D:\Install\WorkFlow.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\2003\frontpage\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\2003\frontpage\Office10\OSA.EXE
O4 - Global Startup: Trojan Guarder Gold Version.lnk = C:\Program Files\Download\Trojan Guarder Gold Version\Trojan Guarder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\2003\FRONTP~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~2\PHOTOD~1\Office\1033\phdintl.dll/phdContext.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\2003\FRONTP~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099078463317
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



pandascan

System Files Messages

Scanned Yes 0 39
Infected - 0 0
Suspicious - 0 0
Disinfected - 0 0


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:15:34 PM, 7/3/2005
+ Report-Checksum: 19605186

+ Date of database: 7/3/2005
+ Version of scan engine: v3.0

+ Duration: 98 min
+ Scanned Files: 246907
+ Speed: 35.54 Files/Second
+ Infected files: 0
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:



::Report End
  • 0

#7
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Please disable winpatrol as it may interfere with what we need to do.

rescan with HJT and check the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.startnow.com/

Ensure no windows open except HJT and click fix checked.

Now rescan with HJT and post the new log back.
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP