Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bad case of the bugs i think. help pls? [CLOSED]


  • This topic is locked This topic is locked

#1
dazlia

dazlia

    Member

  • Member
  • PipPip
  • 20 posts
Hi foks,

Ive got a bnad case of the spyware blues i think including a big "critical warning" displayed as my desktop background and i cant remove it. I'm sure theres loads opf things going on 'behind the scenes' too that i need to get rid of. Could someone please taek a moment out to help?
much appreciated.

daz

Logfile of HijackThis v1.99.1
Scan saved at 17:46:46, on 08/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\program files\timbuktu pro\tb2launch.exe
c:\program files\timbuktu pro\tb2pro.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
c:\program files\timbuktu pro\TNOTIFY.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\justDo\Jd2002.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DisplayManager] C:\WINDOWS\System32\DispMan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\justDo\IECatcher.DLL/FlashCatcher.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\justDo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\justDo\IECatcher.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\PROGRA~1\ELTIMA~1\FLASHD~1\iebt.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6F90DFC-1151-4C53-A366-9AEA3D12798A}: NameServer = 194.177.170.2,194.177.60.2
O20 - Winlogon Notify: Timbuktu Pro - c:\program files\timbuktu pro\Hook32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Biistr - Unknown owner - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - c:\program files\timbuktu pro\tb2launch.exe
  • 0

Advertisements


#2
dazlia

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi there,
Just to save timew ive read through the various intructions i found and ive also posted a few logs from these utilities that ive run :tazz: The main things i cant seem to get rid of are this silly 'crital warning' desktop wallpaper, along with spysherrif.

I'm just running a kaspersky check opnline and ill post this log in a moment for you ;) Hope someone gets time to look at these and as always id just liek to say thanks for doing the job you do guys. Think i speak for all of us when we say we'd be F';'ked without you ;)

be back in a second .........

Scanned at: 10:31:54 on: 11/07/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 30

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

SpSeHjfix:-



(6/20/05 17:03:46) SPSeHjFix started v1.1.2
(6/20/05 17:03:46) OS: WinXP Service Pack 1 (5.1.2600)
(6/20/05 17:03:46) Language: english
(6/20/05 17:03:46) Win-Path: C:\WINDOWS
(6/20/05 17:03:46) System-Path: C:\WINDOWS\System32
(6/20/05 17:03:46) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\
(6/20/05 17:03:54) Disinfection started
(6/20/05 17:03:54) Bad-Dll(IEP): (not found)
(6/20/05 17:03:54) Bad-Dll(IEP) in BHO: (not found)
(6/20/05 17:03:54) UBF: 4 - UBB: 1 - UBR: 84
(6/20/05 17:03:54) UBF: 4 - UBB: 1 - UBR: 84
(6/20/05 17:03:54) Bad IE-pages: (none)
(6/20/05 17:03:54) Stealth-String not found
(6/20/05 17:03:54) Not infected->END


(6/21/05 13:32:18) SPSeHjFix started v1.1.2
(6/21/05 13:32:18) OS: WinXP Service Pack 1 (5.1.2600)
(6/21/05 13:32:18) Language: english
(6/21/05 13:32:18) Win-Path: C:\WINDOWS
(6/21/05 13:32:18) System-Path: C:\WINDOWS\System32
(6/21/05 13:32:18) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\
(6/21/05 13:32:21) Disinfection started
(6/21/05 13:32:21) Bad-Dll(IEP): (not found)
(6/21/05 13:32:21) Bad-Dll(IEP) in BHO: (not found)
(6/21/05 13:32:21) UBF: 4 - UBB: 2 - UBR: 22
(6/21/05 13:32:21) UBF: 4 - UBB: 2 - UBR: 22
(6/21/05 13:32:21) Bad IE-pages: (none)
(6/21/05 13:32:21) Stealth-String not found
(6/21/05 13:32:21) Not infected->END


(6/23/05 09:57:31) SPSeHjFix started v1.1.2
(6/23/05 09:57:31) OS: WinXP Service Pack 1 (5.1.2600)
(6/23/05 09:57:31) Language: english
(6/23/05 09:57:31) Win-Path: C:\WINDOWS
(6/23/05 09:57:31) System-Path: C:\WINDOWS\System32
(6/23/05 09:57:31) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\
(6/23/05 09:57:32) Disinfection started
(6/23/05 09:57:32) Bad-Dll(IEP): (not found)
(6/23/05 09:57:32) Bad-Dll(IEP) in BHO: (not found)
(6/23/05 09:57:32) UBF: 4 - UBB: 2 - UBR: 18
(6/23/05 09:57:32) UBF: 4 - UBB: 2 - UBR: 18
(6/23/05 09:57:32) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
(6/23/05 09:57:32) Stealth-String not found
(6/23/05 09:57:32) Not infected->END


(7/11/05 09:59:07) SPSeHjFix started v1.1.2
(7/11/05 09:59:07) OS: WinXP Service Pack 1 (5.1.2600)
(7/11/05 09:59:07) Language: english
(7/11/05 09:59:07) Win-Path: C:\WINDOWS
(7/11/05 09:59:07) System-Path: C:\WINDOWS\System32
(7/11/05 09:59:07) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\


(7/11/05 10:37:21) SPSeHjFix started v1.1.2
(7/11/05 10:37:21) OS: WinXP Service Pack 1 (5.1.2600)
(7/11/05 10:37:21) Language: english
(7/11/05 10:37:21) Win-Path: C:\WINDOWS
(7/11/05 10:37:21) System-Path: C:\WINDOWS\System32
(7/11/05 10:37:21) Temp-Path: C:\DOCUME~1\Darren\LOCALS~1\Temp\
(7/11/05 10:37:23) Disinfection started
(7/11/05 10:37:23) Bad-Dll(IEP): (not found)
(7/11/05 10:37:23) Bad-Dll(IEP) in BHO: (not found)
(7/11/05 10:37:23) UBF: 4 - UBB: 1 - UBR: 5
(7/11/05 10:37:23) UBF: 4 - UBB: 1 - UBR: 5
(7/11/05 10:37:23) Bad IE-pages: (none)
(7/11/05 10:37:23) Stealth-String not found
(7/11/05 10:37:23) Not infected->END

Edited by dazlia, 11 July 2005 - 03:56 AM.

  • 0

#3
dazlia

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Kaspesky log :-

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Monday, July 11, 2005 10:56:34
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/07/2005
Kaspersky Anti-Virus database records: 129936
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Darren\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 11860
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 437 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.
  • 0

#4
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Hello dazlia, welcome to Geeks To Go. :tazz:

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Scan with Ewido trojan scanner:
  • Run Ewido.
  • Click on scanner.
  • Click Complete System Scan.
  • Let the program scan the machine.
  • When it finds a bad file, it will ask you what you want to do with it. You must make a selection before you continue scanning.
    • Ewido has been detecting false positives lately, so do not select "Perform action with all infections".
    • Unless it is a file you know to be legitimate, select remove and click OK.
    • If you know the file is legitimate, select none and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
    • Click Save report.
    • Save the report to your desktop.
Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Do you know if this file is legitimate?:
C:\WINDOWS\System32\DispMan.exe
Visit it in Windows Explorer and right-click > "Properties" for more information.

Also, is Timbuktu legitimatly installed on your computer? If it is it is probably work related. Here is a description:

With Timbuktu Pro, you can control or observe a remote PC or Macintosh, from anywhere on your network, including dialing in from off campus. Timbuktu is especially helpful for user support and management of remote servers. You can also transfer files between Macintosh and PC platforms easily, without using a server.


  • 0

#5
dazlia

dazlia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi mate, thansk for the reply will work through this is a while.

With regards your questions though :-

Yes Dispman.exe is a part ofthe software for a Pixel Perfect Widescreen graphics card.

And Timbuktu is ok, we use it at work for connecting remotly to customers PC to update them.

Ill let you know how i get on. :tazz:

cherers
daz
  • 0

#6
Canoeingkidd

Canoeingkidd

    Malware Expert

  • Retired Staff
  • 148 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP