Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32/Rootkit [RESOLVED]


  • This topic is locked This topic is locked

#1
PANCAK3

PANCAK3

    Member

  • Member
  • PipPipPip
  • 125 posts
I have the same problem as in
http://www.geekstogo...l=Win32/Rootkit
Can I use the same solutions Trevuren suggests? or do i need some other ways since I am using 2k pro.



Logfile of HijackThis v1.99.1
Scan saved at 09:56:07 PM, on 2005-07-10
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\PDesk.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

O3 - Toolbar: |?-μ?(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOD32] C:\Program Files\ESET\nod32krn.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7B0A8738-654F-455A-A1DF-37C8402ABBEE} (Signature Class) - https://secure.capit.../FCliPKICOM.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.c...nloadPhotos.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Edited by PANCAK3, 10 July 2005 - 11:01 PM.

  • 0

Advertisements


#2
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
=======================

You may have a similar problem however you have different results on the HijackThis Log therefor we need to fix this in another way! ;)
  • 0

#3
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
==========================================
It is highly recommended that you install your HijackThis Tool in a safe location where you can easily find them. It is suggested you place them in C:\HJT, that way it could create backups necessary for future restore.
==========================================

I don't see any infections in your system, I just doubt the nod32 Antivirus. I will try to verify it. Can you give me additional details how your system is responding.

Place a shortcut to Panda ActiveScan on your desktop.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Reboot in SAFE MODE. (How to boot in Safe Mode...)
==========================================

Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

==========================================

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Edited by kool808, 15 July 2005 - 10:48 PM.

  • 0

#4
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
Hello! kool808

I think i have fixed the rootkit problem after using ewido security the day i posed the message ;)
Here are the logs I scanned today...

Logfile of HijackThis v1.99.1
Scan saved at 09:23:15 PM, on 2005-07-16
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\PDesk.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\taskmgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: |?-μ?(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOD32] C:\Program Files\ESET\nod32krn.exe
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem\fmempro.exe" Startup
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {7B0A8738-654F-455A-A1DF-37C8402ABBEE} (Signature Class) - https://secure.capit.../FCliPKICOM.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.c...nloadPhotos.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

However...there seemed to be a problem in ewido when i tried to save the report. An error message popped up saying that the memory cant be read or something like that. The scanning process was smoothly though. So theres nothing inside the report besides the basic information such as date, time, etc.

I also have faced the same problem (the memory cant be read problem) when i used other programs. The program itself will shut down if I click YES to the message. It will do nothing if I click NO. Any idea how to fix this? :tazz:
  • 0

#5
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
===================================

I don't see any infections in your system except for the GetRight download manager

  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
====================================
  • Open up the MS-DOS Prompt
  • type in cd\
  • cd progra~1 or cd program files
  • dir *.* >> c:\pflist.txt
  • exit
  • In your windows explorer locate pflist.txt
  • post the results here
POST these:
1.) Uninstall List
2.) Program Files List
  • 0

#6
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
pflist.txt:

OALPP02AB0
Hard Drive Serial Number: 1A47-17FE

Directory: C:\Program Files

2005-05-09 04:50p <DIR> .
2005-05-09 04:50p <DIR> ..
2005-05-09 04:50p <DIR> Common Files
2005-05-09 04:55p <DIR> Windows NT
2005-05-09 04:55p <DIR> Accessories
2005-05-09 04:57p <DIR> Internet Explorer
2005-05-09 04:57p <DIR> Outlook Express
2005-05-09 04:57p <DIR> NetMeeting
2005-05-09 04:57p <DIR> Windows Media Player
2005-05-09 04:58p <DIR> Intel
2005-05-09 04:58p <DIR> MouseWarePro
2005-05-09 04:58p <DIR> HP
2005-05-09 04:59p <DIR> microsoft frontpage
2005-05-09 05:14p <DIR> Zone Labs
2005-05-09 08:14p <DIR> Mozilla Firefox
2005-05-09 08:17p <DIR> WinZip
2005-05-09 11:33p <DIR> MSN Messenger
2005-05-10 03:55p <DIR> Microsoft Office
2005-05-10 03:56p <DIR> Microsoft Visual Studio
2005-05-10 03:56p <DIR> Microsoft ActiveSync
2005-05-10 03:59p <DIR> OfficeUpdate11
2005-05-10 05:28p <DIR> FlashGet
2005-05-10 05:30p <DIR> TuneUp Utilities
2005-05-10 05:32p <DIR> WinRAR
2005-05-10 06:00p <DIR> Kazaa Lite
2005-05-10 06:15p <DIR> ACD Systems
2005-05-10 07:00p <DIR> Dreye
2005-05-10 07:37p <DIR> Macromedia
2005-05-11 02:24p <DIR> Web Publish
2005-05-11 02:31p <DIR> DarkEden
2005-05-11 02:33p <DIR> softnyx
2005-05-11 03:29p <DIR> Overture
2005-05-11 03:33p <DIR> CuteFTP
2005-05-11 05:50p <DIR> Hewlett-Packard
2005-05-11 05:50p <DIR> ReadIRIS
2005-05-14 09:41a <DIR> Pop-Up Stopper
2005-05-14 10:12a <DIR> DivX
2005-05-20 10:56p <DIR> VNC4
2005-05-26 05:52p <DIR> QuickTime
2005-05-12 10:53p <DIR> f-bot
2005-05-28 11:18p <DIR> Ad-Aware
2005-05-31 05:30p <DIR> RealVNC
2004-06-04 12:00a <DIR> ESET
2001-04-27 08:04p 54,874,856 imejpn.exe
2005-06-13 06:02p <DIR> GetRight
2005-06-13 08:00p <DIR> SmartMusic Applications
2005-06-14 03:49p <DIR> Grand Theft Auto
2005-06-14 04:57p <DIR> mIRC
2005-06-24 01:08p <DIR> Sony
2005-06-24 01:11p <DIR> Sony Corporation
2005-06-24 03:08p <DIR> Winamp
2005-07-08 03:13p <DIR> BitComet
2005-07-10 09:29p <DIR> Ewido
2005-07-10 09:31p <DIR> CleanUp!
2005-07-14 11:47a <DIR> mxie
2005-07-15 10:21p <DIR> FreeMem
2005-07-16 11:01p <DIR> Alcohol Soft
1 Files 54,874,856 Bytes
56 Directories 8,408,121,344 Bytes available




uninstall list

L3n?e?Jak?a|X?1 2003
ACDSee 7.0 PowerPack
Ad-Aware SE Personal
BitComet 0.57
CleanUp!
DarkEden International
DivX
DivX Player
Dr.eye 2002 A?‥a3q
e-DiagTools LAN Configuration Agent
ewido security suite
ezPeer 1.9
FreeMem Professional
GetRight Pro
Grand Theft Auto Vice City
GunboundWC
Hewlett-Packard Extended Keyboard
HijackThis 1.99.1
hp psc 700 series
Intel Ultra ATA Storage Driver
Internet Explorer Q903235
Japanese Language Support
Kazaa Lite K++ v2.4.3
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Matrox 1II3nAe (?E--2?£)
Microsoft Global IME for Office XP (Japanese)
Microsoft Office XP Professional
Microsoft Visual Basic 6.0 Professional Edition
Microsoft Web Publishing Wizard 1.53
mIRC
MouseWare Pro
Mozilla Firefox (1.0.5)
MSN Messenger 7.0
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Overture 3.1.0
Pop-Up Stopper Free Edition
SmartMusic Content (shared music files)
SmartMusic Studio 8
SonicStage 3.0
TuneUp Utilities 2004
VNC 4.0
Winamp (remove only)
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB883939
Windows 2000 Hotfix - KB887797
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB890923
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix (SP5) Q818043
Windows 2000 SP4 aoosJA`RM¥o 1
Windows Installer 3.1 (KB893803)
Windows Media Player ‥t2Ios (9 ‥t|C)
Windows Media Player 9 Hotfix [|p?Y﹐O2O﹐eT!A?DN?\ KB885492]
Windows Media Player Hotfix [?DN?\ Q828026 ‥uo‥a¥L﹐eT]
WinRAR archiver
WinZip
ZoneAlarm Pro
  • 0

#7
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
For the mean time let us get rid of these first:

Reboot in SAFE MODE. (How to boot in Safe Mode...)
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist

  • Click Uninstall

  • Confirm with OK
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\Kazaa Lite
Finally, Empty Recycle Bin
=====================================
Reboot in NORMAL MODE:

  • Open up the MS-DOS Prompt

  • type in cd\

  • dir *peer*.* /s >> c:\peer.txt

  • exit

  • In your windows explorer locate C:\peer.txt, select all contents

  • post the results here


Have an On-line scan at this sites: Trend Micro or Panda Scan or BitDefender.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the results from Panda Scan and Trend Micro.
  • Post the peer.txt result
  • Please tell me how your system is working now.

Edited by kool808, 17 July 2005 - 05:38 PM.

  • 0

#8
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
HJK log

Logfile of HijackThis v1.99.1
Scan saved at 09:40:54 AM, on 2005-07-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\PDesk.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\taskmgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: |?-μ?(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOD32] C:\Program Files\ESET\nod32krn.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (AI?O?iT?u?W??rμ{|!) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B0A8738-654F-455A-A1DF-37C8402ABBEE} (Signature Class) - https://secure.capit.../FCliPKICOM.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.c...nloadPhotos.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)



peer.txt

OALPP02AB0
Serial Number: 1A47-17FE

Directory: C:\

2005-07-17 11:18p 0 peer.txt
2005-06-05 05:05p <DIR> ezPeer1.9
1 File 0 Byte

Directory: C:\I386

2000-01-10 12:00p 38,878 IEPEERS.DL_
1 File 38,878 Bytes

Directory: C:\ezPeer1.9

2005-05-19 02:24p 5,471,744 ezPeer.exe
1 File 5,471,744 Bytes

Directory: C:\ezPeer1.9\ezsys

2005-07-17 12:13a 4,212 peerlist.dat
1 File 4,212 Bytes

Directory: C:\ezPeer1.9\shell\chat\Default

2003-07-08 02:34a 7,026 ezPeerCht19-close.bmp
2003-07-08 02:31a 446 ezPeerCht19-exit.bmp
2003-07-08 02:32a 3,098 ezPeerCht19-fb.bmp
2003-07-08 02:32a 3,098 ezPeerCht19-fi.bmp
2003-07-08 02:33a 3,098 ezPeerCht19-fu.bmp
2003-07-08 02:31a 8,082 ezPeerCht19-inf.bmp
2003-07-08 10:31p 7,026 ezPeerCht19-join.bmp
2003-07-08 02:31a 286 ezPeerCht19-min.bmp
2003-07-08 02:33a 7,026 ezPeerCht19-ok.bmp
2003-07-08 02:33a 3,074 ezPeerCht19-smi.bmp
2003-07-08 10:34p 7,026 ezPeerCht19-upd.bmp
2003-07-15 06:40a 1,136 ezPeerCht19-setup.bmp
2003-07-17 11:30a 371,078 ezPeerCht19-ma.bmp
13 Files 421,500 Byte

Directory: C:\ezPeer1.9\shell\清涼水叮噹(Default)

2003-07-12 02:01a 4,716 ezPeerskin19-bbs.bmp
2003-07-12 02:05a 5,864 ezPeerskin19-bor.bmp
2003-07-12 12:58a 7,780 ezPeerskin19-buy.bmp
2003-07-12 02:01a 4,708 ezPeerskin19-ch.bmp
2003-05-27 10:06a 1,620 ezPeerskin19-exit.bmp
2004-05-07 04:38p 5,860 ezPeerskin19-ezbas.bmp
2003-05-27 10:37a 4,756 ezPeerskin19-ezmsg.bmp
2003-07-12 02:00a 4,704 ezPeerskin19-ezoff.bmp
2003-07-12 02:00a 11,096 ezPeerskin19-ezon.bmp
2003-07-12 12:58a 14,528 ezPeerskin19-go.bmp
2003-05-27 10:39a 4,756 ezPeerskin19-hon.bmp
2003-05-22 03:19a 660 ezPeerskin19-im.bmp
2003-07-12 12:56a 465,896 ezPeerskin19-ma.bmp
2003-07-12 01:40a 30,632 ezPeerskin19-me.bmp
2003-07-11 12:34a 1,568 ezPeerskin19-min.bmp
2003-07-12 02:01a 4,656 ezPeerskin19-msg.bmp
2003-05-22 03:20a 660 ezPeerskin19-mu.bmp
2003-05-22 07:22a 3,676 ezPeerskin19-nex.bmp
2003-05-22 07:21a 3,676 ezPeerskin19-ply.bmp
2003-07-12 01:40a 30,632 ezPeerskin19-pp.bmp
2003-05-22 07:21a 3,676 ezPeerskin19-pre.bmp
2003-05-22 07:22a 3,676 ezPeerskin19-pus.bmp
2003-07-12 01:38a 11,272 ezPeerskin19-sea.bmp
2003-05-27 10:05a 1,608 ezPeerskin19-set.bmp
2003-05-22 07:22a 3,676 ezPeerskin19-stp.bmp
2003-05-22 03:20a 660 ezPeerskin19-te.bmp
2003-05-22 03:17a 660 ezPeerskin19-url.bmp
2003-05-22 03:18a 668 ezPeerskin19-vi.bmp
2003-07-12 01:39a 11,272 ezPeerskin19-xf.bmp
29 Files 649,612 Bytes

Directory: C:\WINNT\system32

2005-02-18 05:39p 236,032 IEPEERS.DLL
1 File 236,032 Bytes

Directory: C:\WINNT\system32\dllcache

2005-02-18 05:39p 236,032 IEPEERS.DLL
1 File 236,032 Bytes

Directory: C:\WINNT\$NtUninstallKB890923-IE6SP1-20050225.103456$

2002-08-29 09:33a 231,424 iepeers.dll
1 File 231,424 Bytes

Directory: C:\WINNT\ServicePackFiles\i386

2003-06-20 03:05a 100,112 iepeers.dll
1 File 100,112 Bytes

Directory: C:\Documents and Settings\All Users\「Start」Program Files\Application

2005-06-05 05:05p <DIR> ezPeer1.9
0 File 0 Byte

Directory: C:\Documents and Settings\All Users\「Start」Program Files\Application\ezPeer1.9

2005-06-05 05:05p 410 Uninstall ezPeer 1.9.lnk
1 File 410 Bytes

Directory: C:\Documents and Settings\Administrator\「Start」Program Files\Application

2005-06-05 05:05p <DIR> ezPeer1.9
0 File 0 Bytes

Directory: C:\Documents and Settings\Administrator\「Start」Program Files\Application\ezPeer1.9

2005-06-05 05:05p 377 ezPeer.lnk
1 File 377 Bytes

Directory: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch

2005-06-05 05:27p 365 ezPeer 1.9.lnk
1 File 365 Bytes

Total Number of Files:
53 Files 7,390,698 Bytes
3 Directories 8,181,923,840 Bytes available


Panda Activescan:

Incident Status
Adware:adware/brilliantdigital No disinfected

Location
HKEY_CLASSES_ROOT\Interface\{48E59292-9880-11CF-9754-00AA00C00908}
and theres no report from Trend Micro

One down...one more to go :tazz: and still sometimes the error msg will come out when i run some programs =(

Edited by PANCAK3, 18 July 2005 - 11:33 AM.

  • 0

#9
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
=========================================

1.) Please download and install TrojanHunter to a place where you can easily remember it : http://www.snapfiles.com/get/trojanhunter.html
Download all latest updates
Do NOT run the scans yet!

2.) If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Do NOT run the scan yet!

Reboot in SAFE MODE. (How to boot in Safe Mode...)

This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.

  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • VNC 4.0
  • Click Uninstall
  • Confirm with OK
===================================
Open Ad-Aware then performa a full system scan.

Open TrojanHunter, be sure to put a check mark on My Computer as well as Desktop. (This will automatically put check marks on all boxes)
Have a full system scan. Save a report if necessary.
===================================
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\Program Files\VNC 4.0
  • C:\Program Files\RealVNC
Finally, Empty Recycle Bin

===================================
Reboot in NORMAL MODE.
  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the report from TrojanHunter.
  • Please tell me how your system is working now.

  • 0

#10
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
Helllo! here are the logs....

HJK log:
Logfile of HijackThis v1.99.1
Scan saved at 09:57:50 PM, on 2005-07-18
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZONELABS\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\PDesk.exe
C:\Program Files\MouseWarePro\MWProEng.exe
C:\WINNT\system32\HpMmKbd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\taskmgr.exe
C:\HJT\HijackThis.exe

O3 - Toolbar: |?-μ?(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [MWProEng] C:\Program Files\MouseWarePro\MWProEng.exe
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NOD32] C:\Program Files\ESET\nod32krn.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O16 - DPF: Arcsoft Web Uploader - http://www.hpphoto.c...dFileApplet.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (AI?O?iT?u?W??rμ{|!) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B0A8738-654F-455A-A1DF-37C8402ABBEE} (Signature Class) - https://secure.capit.../FCliPKICOM.cab
O16 - DPF: {7BA7BCE2-D359-4407-82D9-CDF9A74C487A} (DownLoadStub Class) - http://www.hpphoto.c...nloadPhotos.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: e-DiagTools LAN Configuration Agent (edtlancfg) - Unknown owner - C:\Program Files\HP\e-DiagTools\Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZONELABS\vsmon.exe



log from trojan hunter:

Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
C:\hiberfil.sys Not scanned (in use by another application)
C:\PAGEFILE.SYS Not scanned (in use by another application)
Found trojan file: C:\Documents and Settings\Administrator\My Documents\MY RECEIVED FILES\Hp Mp Hack.zip/wpeproalpha0_9a.exe/awTV.exe (Bropia.100)
(DELETED)
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\0EGZjHO.exe Not scanned (in use by another application)
(VIRUS....DELETED)
Found trojan file: C:\unzipped\Hp Mp Hack\Hp Mp Hack\wpeproalpha0_9a.exe/zgdDh.exe (Bropia.100)
(DELETED)
2 trojan files found
14552 files scanned in 1705 seconds



i think my computer is better now?? :tazz: iono..havent noticed any difference
  • 0

#11
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

You did it very well! Good job, your system is now A-OK!


Congratulations! :tazz: your system is CLEAN!

;) :help: ;)

WinXP Reset & All-Clean1

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klein: So how did I get infected in the first place?
  • 0

#12
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
Hello again!
I have set the hidden/system files and folders. However, i can't find the System Restore tab in the Properties. There are five tabs:
General
Network Identification
Hardware
User Settings and
Advanced

(All translatiing from Chinese...)
There are three options under Advanced section. I dont know if it's one of them or somethine else?
  • 0

#13
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Oopss sorry I almost forgot you were running on a Win 2000 OS :tazz: . That was from my speech templates for Win XP users.

Anyways read here: http://support.micro...kb;en-us;240363

Then proceed with the next tips I gave you. ;)
  • 0

#14
PANCAK3

PANCAK3

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 125 posts
okok DONE :tazz: thx for the help ;)
  • 0

#15
kool808

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP