Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32:Trojan-gen. rdriv.sys infected


  • Please log in to reply

#1
festevil

festevil

    New Member

  • Member
  • Pip
  • 9 posts
I followed all the required steps before posting and avast is still detecting the virus. I did a boot scan with avast and it said the files were removed, but whenever the computer boots up, it finds the infection again.

Logfile of HijackThis v1.99.1
Scan saved at 3:07:48 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca...s/BwOutlook.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - C:\WINDOWS\lsass.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi festevil and Welcome to GeekstoGo!

Please upload a sample of 2 files please!

C:\WINDOWS\lsass.exe

C:\WINDOWS\system.exe

Please Upload them here
http://www.bleepingc...mit-malware.php

Leave a link to log when you Upload please!

Now,if you will,go to each of the sites below and have those Scanned!

Try to Copy&Paste the entire results, including the file, to a notepad page!

Post those Results here and lets have a look!

After that,I need you to run a Scan for Root Kit Files

Please download rkfiles.zip and unzip it to its own permanent folder
http://skads.org/special/rkfiles.zip

Reboot in Safe Mode

Locate the rkfiles.bat file and double-click it to run it.

When the DOS window closes, reboot back to normal mode.

Post the contents of C:\log.txt

After that run an Online Scan here
http://housecall.trendmicro.com/

Edited by Cretemonster, 13 July 2005 - 08:34 AM.

  • 0

#3
festevil

festevil

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanx for the replay Cretemonster. I uploaded the 2 files C:\WINDOWS\SYSTEM32\lsass.exe and C:\WINDOWS\system.exe.
I scanned the files at http://www.virustotal.com/ and here are the results.

This is a report processed by VirusTotal on 07/13/2005 at 22:19:06 (CET) after scanning the file "system.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.13.2005 Worm/Mydoom.S2
AVG 718 07.13.2005 no virus found
Avira 6.31.0.9 07.13.2005 Worm/Mydoom.S2
BitDefender 7.0 07.13.2005 no virus found
CATQuickHeal 7.03 07.13.2005 (Suspicious) - DNAScan
ClamAV devel-20050501 07.13.2005 no virus found
DrWeb 4.32b 07.13.2005 no virus found
eTrust-Iris 7.1.194.0 07.12.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 no virus found
Fortinet 2.36.0.0 07.13.2005 no virus found
F-Prot 3.16c 07.13.2005 no virus found
Ikarus 2.32 07.13.2005 Backdoor.Win32.Agobot.ACE
Kaspersky 4.0.2.24 07.13.2005 Trojan.Win32.Pakes
McAfee 4534 07.13.2005 no virus found
NOD32v2 1.1167 07.13.2005 no virus found
Norman 5.70.10 07.12.2005 no virus found
Panda 8.02.00 07.13.2005 no virus found
Sybari 7.5.1314 07.13.2005 Trojan.Win32.Pakes
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.13.2005 no virus found

This is a report processed by VirusTotal on 07/13/2005 at 22:21:20 (CET) after scanning the file "lsass.exe" file.
Antivirus Version Update Result
AntiVir 6.31.0.9 07.13.2005 no virus found
AVG 718 07.13.2005 no virus found
Avira 6.31.0.9 07.13.2005 no virus found
BitDefender 7.0 07.13.2005 no virus found
CATQuickHeal 7.03 07.13.2005 no virus found
ClamAV devel-20050501 07.13.2005 no virus found
DrWeb 4.32b 07.13.2005 no virus found
eTrust-Iris 7.1.194.0 07.12.2005 no virus found
eTrust-Vet 11.9.1.0 07.13.2005 no virus found
Fortinet 2.36.0.0 07.13.2005 no virus found
F-Prot 3.16c 07.13.2005 no virus found
Ikarus 2.32 07.13.2005 no virus found
Kaspersky 4.0.2.24 07.13.2005 no virus found
McAfee 4534 07.13.2005 no virus found
NOD32v2 1.1167 07.13.2005 no virus found
Norman 5.70.10 07.12.2005 no virus found
Panda 8.02.00 07.13.2005 no virus found
Sybari 7.5.1314 07.13.2005 no virus found
Symantec 8.0 07.13.2005 no virus found
TheHacker 5.8.2.070 07.13.2005 no virus found
VBA32 3.10.4 07.13.2005 no virus found


Here are the results from http://virusscan.jotti.org

File: system.exe
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 8199b14026fda41de19e2778a9d4ae1e
Packers detected: -
Scanner results
AntiVir Found Worm/Mydoom.S2
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Pakes
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

File: lsass.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 84885f9b82f4d55c6146ebf6065d75d2
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

I unzipped rkfiles.zip to C:\rkfiles and booted in safe mode and ran file rkfiles.bat but it wouldnt get past "Checking system folder", I let it run for about 20 minutes and tried this 3 times but it would never get past this point. The log file simply says "C:\rkfiles".

I also tried an online scan at http://housecall.trendmicro.com/, but it hangs up around 70 or 71%, I tried rebooting the computer and running the scan again but the same thing happens.

Anymore help is greatly appreciated.
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets go ahead and start squashin bugs!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

Local Security Authority System Service

Right Click that entry and Select "Properties"-> Click "Stop"-> Go up and Change the "Startup Type" to "Disabled"!

Exit the Services Page!


Open up Pocket Killbox-> Copy&Paste the 2 entries below into it!

C:\WINDOWS\lsass.exe
C:\WINDOWS\system.exe


Once pasted in,place a tick by "Delete on Reboot"

Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot



If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam


Run those files through Killbox again to be sure they are gone!

Select these Options this time

"Standard File Kill"
"End Explorer Shell while Killing File"



Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [Services] C:\WINDOWS\system.exe

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

O23 - Service: Local Security Authority System Service (Local Security Authority System) - Unknown owner - C:\WINDOWS\lsass.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Click Start-> Run->Copy&Paste the Bold Text below into the Open Box and Click OK!

sc delete Local Security Authority System


Scan the System with Ewido-> Clean all it Finds-> Make sure to Save a Report!


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

Once the Scan is Complete-> Click "Copy to Clipboard" and Copy&Paste those Results into the next reply!



Restart Normal and post a fresh HijackThis log along with the reports from Ewido and WinPFind!
  • 0

#5
festevil

festevil

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I used Killbox to delete those files in safe-mode and my computer would not boot up afterwards, neither in normal or safe mode. So I did a reinstall of windows over my old copy. Should I just burn all my important files to a CDR and do a clean reinstall or is there some way outta this mess?
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you Copy&Paste the entries from My post into Killbox or type them in?


For now,Put the Windows CD in the Drive and Restart the PC!

Select to Boot from CD and then Press "R" for a Repair Install!

Knowing the files were scanned and dirty,I am unsure exactly why this Happened!


Let me know if the Repair works!
  • 0

#7
festevil

festevil

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The repair worked fine. I didnt copy and paste "C:\WINDOWS\lsass.exe" into killbox because the only place I could find that file was in "C:\WINDOWS\SYSTEM32\lsass.exe". Was that what maybe caused the problem?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Yes Sir,Thats exactly what happened!

So that Means that C:\Windows\lsass.exe still exist!

Which means,Copy&Paste C:\Windows\lsass.exe into Killbox and Select Delete on Reboot and Click the Red Circle to Delete it!

Shew....Gave me a small stroke on the one!


After you do that,lets see a fresh HijackThis log!
  • 0

#9
festevil

festevil

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:07:19 PM, on 7/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HiJackThis\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121417496384
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Here is a log from WinPFind:

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 C:\WINDOWS\system32\dfrg.msc
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
Umonitor C:\WINDOWS\system32\rasdlg.dll

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
7/15/2005 C:\WINDOWS\WindowsShell.Manifest
7/15/2005 C:\WINDOWS\Downloaded Program Files\desktop.ini
7/15/2005 C:\WINDOWS\Fonts\desktop.ini
7/15/2005 C:\WINDOWS\inf\oem18.inf
7/15/2005 C:\WINDOWS\Offline Web Pages\desktop.ini
7/15/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
7/15/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
7/15/2005 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_7.cab
7/15/2005 C:\WINDOWS\repair\ntuser.dat
7/15/2005 C:\WINDOWS\system32\cdplayer.exe.manifest
7/15/2005 C:\WINDOWS\system32\logonui.exe.manifest
7/15/2005 C:\WINDOWS\system32\ncpa.cpl.manifest
7/15/2005 C:\WINDOWS\system32\nwc.cpl.manifest
7/15/2005 C:\WINDOWS\system32\sapi.cpl.manifest
7/15/2005 C:\WINDOWS\system32\WindowsLogon.manifest
7/15/2005 C:\WINDOWS\system32\wuaucpl.cpl.manifest
7/16/2005 C:\WINDOWS\system32\config\DEFAULT.LOG
7/16/2005 C:\WINDOWS\system32\config\SAM.LOG
7/16/2005 C:\WINDOWS\system32\config\SECURITY.LOG
7/16/2005 C:\WINDOWS\system32\config\SOFTWARE.LOG
7/16/2005 C:\WINDOWS\system32\config\SYSTEM.LOG
7/15/2005 C:\WINDOWS\system32\config\userdiff.LOG
7/15/2005 C:\WINDOWS\system32\config\userdifr.LOG
7/15/2005 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
7/14/2005 C:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
7/14/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
7/16/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0J23GHR4\desktop.ini
7/16/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\237891N6\desktop.ini
7/16/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4N0PH6JH\desktop.ini
7/16/2005 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Y7YE1AQQ\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
7/14/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
7/15/2005 C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
7/16/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\System32\tds3shl.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
SoundMan SOUNDMAN.EXE
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IncrediMail C:\Program Files\IncrediMail\bin\IncMail.exe /c
PopUpStopperFreeEdition "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete


And an Ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:55:16 PM, 7/16/2005
+ Report-Checksum: 6AA6F6A9

+ Scan result:

C:\Program Files\iolo\System Mechanic 5\SMUtilityBar.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\RECYCLER\S-1-5-18\Dc3.sys -> Trojan.Rootkit.k : Cleaned with backup


::Report End
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now that looks much better!!!

Use these set of commands to clear the Recycle Bin out!

Go to a Command Prompt:
Start | Run, and type Cmd and hit OK
At the prompt, type the following bold commands:
(note the spaces!!)

cd\ [hit enter]

attrib -h -s c:\recycler [Enter]

del c:\recycler [enter]

Disable System Restore
http://service1.syma...src=sec_doc_nam


Install Spyware Blaster
http://www.javacools...areblaster.html
Update Immediatly!


Post back and let me know how its running!
  • 0

#11
festevil

festevil

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
It's running better than ever. Thanks so much Cretemonster.
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Renable System Restore and Have a look at those 3 little black links in My signature for some good Info onhow to avoid this in the future!

Also,look through Metallicas Spyware page for even more info
http://metallica.geekstogo.com/

I think you will find all these links most informative!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP