Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't shake these Trojans [RESOLVED]


  • This topic is locked This topic is locked

#16
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
If you want all the exceptions listed in the windows firewall in addition to Remote Assistant and Task Panl there are also File and Printer Sharing, Remote Desktop, and UPnP Framework but these are not checked.

Mcafee is still detecting C:\WINDOWS\SYSTEM32\RDSNDIN.EXE everytime it starts up.
  • 0

Advertisements


#17
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmm...This is most puzzling,unless the system is actually hacked!

Do this for me please

Update Ewido and MWAV!

Have Remv3 ready for Safe Mode use!

Delete the old WinPfind and Download the new one from here
http://www.bleepingc...es/winpfind.php

Go into Safe Mode!

Scan with Remv3 first!

Scan with WinPFind next!

Scan with MWAV next!

Scan with Ewido Last!

Save all the Reports!

While in Safe Mode!

Look on the System for these files please!


C:\WINDOWS\SYSTEM32\drv2cltr.dll

C:\WINDOWS\SYSTEM32\RDSNDIN.EXE

C:\WINDOWS\system32\cisvvc.exe

C:\WINDOWS\system32\csmgf.exe

C:\WINDOWS\system32\hybsys32.dll

C:\WINDOWS\system32\loadctr.exe

C:\WINDOWS\system32\gpsresl32.exe


When you post back,please give me as much information as you can!

I dont care if you think its insignificant,just give me as much Info about what you find and what else the System is doing and i Mcafee is flagging anything else!

Post the results of all 4 scans and I will ask for some extra eyes on this one!

Edited by Cretemonster, 19 July 2005 - 04:34 PM.

  • 0

#18
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Remv3:

The batch is run from -- C:\Documents and Settings\Joshua Cohn\Desktop\remv3

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 34EE-EBDB

Directory of C:\WINDOWS\SYSTEM32

msi.dll
Finished



Winpfind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 7:00:00 AM 41397 C:\WINDOWS\system32\DFRG.MSC
PEC2 2/14/1997 10:24:14 PM 197171 C:\WINDOWS\system32\Dwapilib.tlb
PECompact2 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 7/6/2005 10:21:30 PM 1366872 C:\WINDOWS\system32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\system32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\system32\rasdlg.dll
winsync 8/29/2002 7:00:00 AM 1309184 C:\WINDOWS\system32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 5:14:52 PM 0 oem33.inf
7/7/2005 5:17:24 PM 0 oem34.inf
7/9/2005 4:19:44 PM 286777 package_16.cab
7/17/2005 7:21:38 PM 5 AuxDrv32b_d.oxc
7/20/2005 11:42:02 AM 8192 DEFAULT.LOG
7/20/2005 11:42:26 AM 1024 SAM.LOG
7/20/2005 11:42:16 AM 16384 SECURITY.LOG
7/20/2005 11:42:28 AM 114688 SOFTWARE.LOG
7/20/2005 11:42:22 AM 884736 SYSTEM.LOG
7/14/2005 9:22:42 AM 1024 NTUSER.DAT.LOG
5/21/2005 9:14:10 PM 388 391ec4df-8d44-4633-ba0d-ba38caf0eb93
5/21/2005 9:14:10 PM 24 Preferred
7/20/2005 11:41:24 AM 6 SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/13/2005 2:13:04 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
2/1/2004 10:45:44 PM 831 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
2/1/2004 10:47:56 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
1/13/2005 2:10:16 AM 1214 C:\Documents and Settings\Joshua Cohn\Application Data\AdobeDLM.log
1/13/2005 2:10:16 AM 0 C:\Documents and Settings\Joshua Cohn\Application Data\dm.ini
7/11/2005 4:51:00 PM 60160 C:\Documents and Settings\Joshua Cohn\Application Data\GDIPFONTCACHEV1.DAT
12/22/2004 10:43:14 PM 4713 C:\Documents and Settings\Joshua Cohn\Application Data\wo.tmp

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\SV1
SV1 =

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StuffIt Compress Menu
=
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
BCMSMMSG BCMSMMSG.exe
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Dell QuickSet C:\Program Files\Dell\QuickSet\quickset.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
VSOCheckTask "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
VirusScan Online "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
E6TaskPanel "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoBandCustomize 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.



Mwav:

File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Documents and Settings\Joshua Cohn\Desktop\Nailfix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032673.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032674.dll infected by "Trojan-PSW.Win32.Agent.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP257\A0032746.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0032913.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP261\A0033912.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033932.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP262\A0033942.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034008.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034017.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0034021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP263\A0035021.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035037.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035052.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035061.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035077.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035081.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe tagged as not-a-virus:AdWare.Msnagent.b. No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035164.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035168.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035178.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035180.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036184.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036189.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036199.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036203.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036213.exe infected by "Trojan-Dropper.Win32.Vidro.p" Virus. Action Taken: File Deleted.


Ewido:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:20:57 PM, 7/20/2005
+ Report-Checksum: F04434

+ Scan result:

C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP264\A0035069.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0035089.exe -> Spyware.Msnagent : Cleaned with backup


::Report End


I found and deleted C:\WINDOWS\system32\gpsresl32.exe in a search after all scans were run.

In addition, in the past few days, my system is having a difficult time booting up. It becomes unresponsive and I'm forced to restart my computer.


It does not appear as though my MS Word files are infected and that's really all that I need on this computer. If I back those up, would you recommend reinstalling windows to get rid of these trojans because they seem to be completely unshakeable.
  • 0

#19
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Do you remember any Instance or references to the program WareOut?

Thats exactly what the files are associated with!

Lets give this a try before throwing in the towel!

You are going to have to Check both the Windows and Mcafee Firewalls for any exceptions like rk.exe or the like!

Check Add\Remove for WareOut and Relevant Knowledge

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Download the Attached Zip file,I have enclosed a Registry file that should unlock some of this!

Locate the Registry File and Double Click to execute-> Allow it to Merge into the Registry!

Copy&Paste each entry below into Killbox and use the Instructions that follow

C:\WINDOWS\system32\cisvvc.exe
C:\WINDOWS\system32\csmgf.exe
C:\WINDOWS\system32\drv2cltr.dll
C:\WINDOWS\system32\hybsys32.dll
C:\WINDOWS\system32\loadctr.exe
C:\WINDOWS\system32\rdsndin.exe


Once each is Pasted into Killbox,place a tick by "Delete on Reboot"

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Restart Normal and Post back!

Here is where some of the Information came from
http://www.easydesks...news/news29.htm

Attached Files

  • Attached File  wo.zip   417bytes   41 downloads

Edited by Cretemonster, 20 July 2005 - 02:50 PM.

  • 0

#20
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Yes! A WareOut icon did appear on my computer about two weeks ago and I removed it (but apparently not all of it).

PendingFileRenameOperations Registry Data has been Removed by External Process did appear when I tried to Killbox the files you listed so I restarted manually.

I read article your last post linked me to. Unbelievable. Should I run the program the author mentioned that removes WareOut and its agents or have I done enough to get rid of it already?
  • 0

#21
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you merge the Registry File and try running the files through Killbox again?

I havent had a chance to read the entire article but from what i have read,its worth looking into!

Why not have a read further and see what you think!


Is there any noticable difference in the PC?


Let me know!
  • 0

#22
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I merged the registry and tried running through Killbox again. I also downloaded the trial version of the program the author of the article mentions. The scan did not come up with WareOut, so I'd assume we got it.

The computer seems to be running okay right now. I'll keep you posted.
  • 0

#23
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Let me ask you one more question. The PCsecure scan I ran says that my system is infected with the W32 Elitper Worm. The directions of how to clean the worm according to the Easy Desk Software website are as follows:

W32.Elitper:
This worm has changed your Registered User name and the name of your computer. Reset the value "RegisteredOwner" at the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion. Reset the value "ComputerName" at the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName\ActiveComputerName and then reboot.

How do I go about resetting these values?
  • 0

#24
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Since you are the only one that knows what these names are suppose to be,you will have to navigate those paths in the registry and reset the names to reflect what you have named the Computer!

Registrar Lite makes this much easier
http://www.resplendence.com/downloads

Copy&Paste the path below into the Address Bar of Reg Lite

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ComputerName

When you look at the "Active Computer" and "Computer Name"

They should show no more than the Name you gave the PC when you bought it!

Remove any keys that show a different Owner or Computer Name

Copy&Paste the path below into the Address Bar of Reg Lite

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion

Locate the subkey "RegisteredOwner" and eliminate anything other than your name or the Computer name!
  • 0

#25
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The program is now telling me that I must Reset the following Registry Key Values: AntiVirusDisableNotify at SOFTWARE\Microsoft\Security Center and FirewallDisableNotify at SOFTWARE\Microsoft\Security Center.

Using the Reg Lite program, I don't see any option of how to reset these values. What should I do?
  • 0

Advertisements


#26
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I also just ran an ewido scan. It's still picking up some trojans.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:13:30 PM, 7/21/2005
+ Report-Checksum: 24EB5F7D

+ Scan result:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP265\A0036218.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\csfdt.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntfsnlpa.exe -> Spyware.Msnagent : Cleaned with backup


::Report End
  • 0

#27
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I am attaching a Reg file for you to merge into the Registry!

Unzip it to the Desktop and Extract All!

Double Click to Execute and allow it to merge into the registry!

Now Click Start-> Control Panel-> Security Center-> Windows Firewall->Advanced-> Restore Default!


Now,do you have the Installation CD from Mcafee?

If so,completely Uninstall and Reinstall Mcafee!

Now run this Online Scan
http://uk.trendmicro...call_launch.php

Make sure to Select Auto Clean and delete all it finds!

Lets see if these changes dont make a difference!

Attached Files

  • Attached File  SC.zip   384bytes   40 downloads

  • 0

#28
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I merged the file into the registry and ran the online scan which came back clean but when I ran Ewido in safe mode right after, it came up with the following spyware and Trojan.

Looking back on the other scans, it seems like the TrojanDropper.Vidro in the C:\System Volume Information\_restore is just jumping from file to file each time I restart. Any thoughts on how to outsmart this sucker?



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:51:47 PM, 7/22/2005
+ Report-Checksum: CCE8C99D

+ Scan result:

C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@247realmedia[1].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Joshua Cohn\Cookies\joshua cohn@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036425.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP267\A0036426.exe -> Spyware.Msnagent : Cleaned with backup


::Report End
  • 0

#29
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now this we can deal with!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Restart the PC and Download these 2 programs

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!


CCleaner:
http://www.filehippo...d_ccleaner.html

Open CCleaner and Click "Run Cleaner"

It will do the rest,dont use any of the other functions!

Now reanable System Restore and Restart in Safe Mode and Scan again with Ewido!

Lets see if that scan doesnt look better!
  • 0

#30
joshcohn20

joshcohn20

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
The scans are coming back clean. I think we got it. Thank you so much!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP