Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

possible trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
jediknight

jediknight

    Member

  • Member
  • PipPip
  • 27 posts
Hi.
I have something going on. I think maybe a trojan.
I used ADAWARE and found like 260 threads. I did delete all and the run it again and found like 163 more. Then I ran NAV2005 and found a Trojan horse in two files: Dc12.exe and sysnet.exe. The thing is that NAV just says 'trojan horse" and no more details.
I ran a HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:24, on 25/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\TightVNC\WinVNC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\ronaab.exe
C:\Archivos de programa\BullsEye Network\bin\bargains.exe
C:\Archivos de programa\NaviSearch\bin\nls.exe
C:\Archivos de programa\CashBack\bin\cashback.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Archivos de programa\Messenger\msmsgs.exe
C:\WINDOWS\System32\exp.exe
C:\ARCHIV~1\ADDEST~1\ADDEST~1.EXE
C:\ARCHIV~1\VBOUNCER\VIRTUA~1.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe
C:\Archivos de programa\mhcn\obba.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\w?wexec.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ronaab.exe reg_run
O4 - HKLM\..\Run: [BullsEye Network] C:\Archivos de programa\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Archivos de programa\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Archivos de programa\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [VBouncer] C:\ARCHIV~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: AdDestroyer.lnk = C:\Archivos de programa\AdDestroyer\AdDestroyer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://filesharingac...m::/ysb_mp3.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AC2CD8BB-8E60-45B4-B415-1EB1C04E7753} (SAFELAYER FormSign Control) - https://www.sabadell...formSign001.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70081F2F-DD0A-491E-9BD1-935252EF8B70}: NameServer = 196.3.81.5,196.3.81.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2EE66EF-15EE-42CE-A976-4497E6E6BD06}: NameServer = 205.240.200.50,205.240.200.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E7E4ED-93F0-4A0A-8865-3910B294D8E7}: NameServer = 196.3.81.5,196.3.81.132
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Archivos de programa\Cas\Client\casmf.dll
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\nxdll.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Microsoft Registry Viewer (dumpreg) - Unknown owner - C:\WINDOWS\dumpreg.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\TightVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jediknight and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Hi Excal. Thank you for helping me.
The los in the same email is current because I did not use the notbook again since then.
Anyway, if you still want a new one, just let me know.
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
What is your ISP? Are you familiar with codetel.net?



Thanks,

:tazz:

Excal
  • 0

#5
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
ISN Telecom.
Never heard of codetel.net
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jediknight,

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.


DOWNLOAD PROGRAMS


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Microsoft Registry Viewer (dumpreg) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\ronaab.exe reg_run
O4 - HKLM\..\Run: [BullsEye Network] C:\Archivos de programa\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Archivos de programa\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [CashBack] C:\Archivos de programa\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [VBouncer] C:\ARCHIV~1\VBOUNCER\VirtualBouncer.exe
O4 - Startup: AdDestroyer.lnk = C:\Archivos de programa\AdDestroyer\AdDestroyer.exe
O15 - Trusted Zone: *.filesharingaccess.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - ms-its:mhtml:file://c:\nosuxxx.mht!http://filesharingac...m::/ysb_mp3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{70081F2F-DD0A-491E-9BD1-935252EF8B70}: NameServer = 196.3.81.5,196.3.81.132
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2EE66EF-15EE-42CE-A976-4497E6E6BD06}: NameServer = 205.240.200.50,205.240.200.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E7E4ED-93F0-4A0A-8865-3910B294D8E7}: NameServer = 196.3.81.5,196.3.81.132
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Archivos de programa\Cas\Client\casmf.dll
O23 - Service: Microsoft Registry Viewer (dumpreg) - Unknown owner - C:\WINDOWS\dumpreg.exe (file missing)


9. click the Fix Checked box

10. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

BullsEye Network
CashBack
VirtualBouncer
AdDestroyer
NaviSearch


11. Please remove the following folders using Windows Explorer (if present):

C:\Archivos de programa\BullsEye Network
C:\Archivos de programa\NaviSearch
C:\Archivos de programa\CashBack
C:\ARCHIV~1\VBOUNCER
C:\Archivos de programa\AdDestroyer


12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\System32\nvms.dll
C:\WINDOWS\System32\mscb.dll
C:\WINDOWS\System32\msbe.dll
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\ronaab.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\dumpreg.exe
AUNPS2.DLL <=====Start>Seach to find this


13. Run the program CleanUp!

14. Reboot into normal mode

15. You may have the latest version of VX2. Download L2mfix from one of these two locations:
  • One
    Two
  • Save the file to your desktop and double click l2mfix.exe.
  • Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
  • From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter
  • Press any key to reboot your computer.
  • After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log.
  • Copy the contents of log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:
IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

16. please run this online virus scan: ActiveScan - Save the results from the scan!

17. Please post the Active scan log, L2Mfix log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#7
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, here we go...
I think things are better now but maybe still something there...
Whes I log on to WinXP I get an error message
RUNDLL
Error loading c:\WINDOWS\cfgmgr52.dll
The specified module cannot be found

Here are the logs you've requested:

L2Mfix 1.03a

Running From:
C:\files by nacho\l2mfix\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administradores
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\files by nacho\l2mfix\l2mfix
System Rebooted!

Running From:
C:\files by nacho\l2mfix\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'
Killing PID 1980 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 260 'rundll32.exe'
Killing PID 2256 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\odengl32.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\odengl32.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\damodemx.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\damodemx.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\nxdll.dll
1 archivos copiados.
Backing Up: C:\WINDOWS\system32\nxdll.dll
1 archivos copiados.
deleting: C:\WINDOWS\system32\odengl32.dll
Successfully Deleted: C:\WINDOWS\system32\odengl32.dll
deleting: C:\WINDOWS\system32\odengl32.dll
Successfully Deleted: C:\WINDOWS\system32\odengl32.dll
deleting: C:\WINDOWS\system32\damodemx.dll
Successfully Deleted: C:\WINDOWS\system32\damodemx.dll
deleting: C:\WINDOWS\system32\damodemx.dll
Successfully Deleted: C:\WINDOWS\system32\damodemx.dll
deleting: C:\WINDOWS\system32\nxdll.dll
Successfully Deleted: C:\WINDOWS\system32\nxdll.dll
deleting: C:\WINDOWS\system32\nxdll.dll
Successfully Deleted: C:\WINDOWS\system32\nxdll.dll

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: odengl32.dll (deflated 48%)
adding: damodemx.dll (deflated 48%)
adding: nxdll.dll (deflated 48%)
adding: echo.reg (deflated 10%)
adding: clear.reg (deflated 46%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (deflated 12%)
adding: lo2.txt (deflated 89%)
adding: test2.txt (deflated 27%)
adding: test3.txt (deflated 27%)
adding: test5.txt (deflated 27%)
adding: test.txt (deflated 75%)
adding: xfind.txt (deflated 73%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/85F99478-8405-4E32-B187-8DE60549B1C0.reg (deflated 70%)
adding: backregs/AC5DEFAF-5EB9-4BD3-9BCB-D2B2F30608E6.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Usuarios
(ID-IO) ALLOW Read BUILTIN\Usuarios
(ID-NI) ALLOW Full access BUILTIN\Administradores
(ID-IO) ALLOW Full access BUILTIN\Administradores
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... failed (GetAccountSid(Administrators)=1332

deleting local copy: odengl32.dll
deleting local copy: odengl32.dll
deleting local copy: damodemx.dll
deleting local copy: damodemx.dll
deleting local copy: nxdll.dll
deleting local copy: nxdll.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\odengl32.dll
C:\WINDOWS\system32\odengl32.dll
C:\WINDOWS\system32\damodemx.dll
C:\WINDOWS\system32\damodemx.dll
C:\WINDOWS\system32\nxdll.dll
C:\WINDOWS\system32\nxdll.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{85F99478-8405-4E32-B187-8DE60549B1C0}"=-
"{AC5DEFAF-5EB9-4BD3-9BCB-D2B2F30608E6}"=-
"{9D3BFFEE-1C1C-4228-A462-C9418D861021}"=-
[-HKEY_CLASSES_ROOT\CLSID\{85F99478-8405-4E32-B187-8DE60549B1C0}]
[-HKEY_CLASSES_ROOT\CLSID\{AC5DEFAF-5EB9-4BD3-9BCB-D2B2F30608E6}]
[-HKEY_CLASSES_ROOT\CLSID\{9D3BFFEE-1C1C-4228-A462-C9418D861021}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Incident Status Location

Adware:adware/purityscan No disinfected C:\WINDOWS\SYSTEM32\wnscpcc.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.bin
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\exclean.exe
Adware:adware/sqwire No disinfected C:\WINDOWS\SYSTEM32\tsuninst.exe
Adware:adware/iedriver No disinfected C:\WINDOWS\SYSTEM32\Searchx.htm
Adware:adware/afaenhance No disinfected C:\WINDOWS\SYSTEM\QBUninstaller.exe
Adware:adware/searchtheweb No disinfected C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
Adware:adware/weirdontheweb No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\WeirdOnTheWeb.url
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\1111\1111.url
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware/addestroyer No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\MEN INICIO\PROGRAMAS\AdDestroyer
Adware:adware/virtualbouncer No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\MEN INICIO\PROGRAMAS\Virtual Bouncer
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/apropos No disinfected C:\ARCHIVOS DE PROGRAMA\Aprps
Adware:adware/consumeralertsystemNo disinfected C:\ARCHIVOS DE PROGRAMA\CasStub
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\Casino & Carrers
Adware:adware/sidefind No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER
Spyware:spyware/betterinet No disinfected HKEY_CURRENT_USER\SOFTWARE\IN3RD
Adware:adware/exactsearch No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\NLS.URLCATCHER.1
Adware:adware/exact.cashback No disinfected HKEY_CLASSES_ROOT\ADP.URLCATCHER.1
Adware:adware/wupd No disinfected HKEY_CLASSES_ROOT\ADTOOLSX.INSTALLER
Adware:adware/bigtrafficnet No disinfected HKEY_CLASSES_ROOT\BTNETW.AMO
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\DDATE
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS
Spyware:spyware/safesurf No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\RICHED
Spyware:spyware/surfsidekick No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3
Spyware:spyware/istbar No disinfected HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}
Adware:adware/ucmore No disinfected HKEY_CLASSES_ROOT\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}
Adware:adware/ncase No disinfected HKEY_CLASSES_ROOT\CLSID\{99410CDE-6F16-42CE-9D49-3807F78F0287}
Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/cws No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\DAML7NPY\drugs-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\drugs[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\casino-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\71KJXOW7\virus[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\71KJXOW7\fav-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\fav[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\dating-ico[1].bmp
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\avuqq.dat
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1100.dll
Adware:Adware/SearchTheWeb No disinfected C:\Documents and Settings\All Users\Datos de programa\msw\MSW.exe
********************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 3:15:34, on 26/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\TightVNC\WinVNC.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Rlts] C:\Archivos de programa\mhcn\obba.exe
O4 - HKCU\..\Run: [Jgu] C:\WINDOWS\System32\w?wexec.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AC2CD8BB-8E60-45B4-B415-1EB1C04E7753} (SAFELAYER FormSign Control) - https://www.sabadell...formSign001.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\TightVNC\WinVNC.exe" -service (file missing)
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Believe it or not, that error is a good thing :tazz:



DOWNLOAD PROGRAMS


Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\TSL INSTALLER]

[-HKEY_CURRENT_USER\SOFTWARE\IN3RD]

[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\NLS.URLCATCHER.1]

[-HKEY_CLASSES_ROOT\ADP.URLCATCHER.1]

[-HKEY_CLASSES_ROOT\ADTOOLSX.INSTALLER]

[-HKEY_CLASSES_ROOT\BTNETW.AMO]

[-HKEY_LOCAL_MACHINE\SOFTWARE\DDATE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\REVISIONS]

[-HKEY_LOCAL_MACHINE\SOFTWARE\RICHED]

[-HKEY_LOCAL_MACHINE\SOFTWARE\SURFSIDEKICK3]

[-HKEY_CLASSES_ROOT\CLSID\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}]

[-HKEY_CLASSES_ROOT\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}]

[-HKEY_CLASSES_ROOT\CLSID\{99410CDE-6F16-42CE-9D49-3807F78F0287}]

[-HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}]




THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

5. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

6. Close all browsers, windows and unneeded programs.

7. Open HiJack and do a scan.

8. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKCU\..\Run: [Rlts] C:\Archivos de programa\mhcn\obba.exe
O4 - HKCU\..\Run: [Jgu] C:\WINDOWS\System32\w?wexec.exe


9. click the Fix Checked box

10. Please remove the following folders using Windows Explorer (if present):

C:\Archivos de programa\mhcn
C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\WeirdOnTheWeb.url
C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\1111
C:\DOCUMENTS AND SETTINGS\ADMIN\MEN INICIO\PROGRAMAS\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ADMIN\MEN INICIO\PROGRAMAS\Virtual Bouncer
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\ARCHIVOS DE PROGRAMA\Aprps
C:\ARCHIVOS DE PROGRAMA\CasStub
C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\Casino & Carrers
C:\Documents and Settings\All Users\Datos de programa\msw


11. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\avuqq.dat
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1100.dll
C:\WINDOWS\System32\w?wexec.exe
C:\WINDOWS\SYSTEM32\wnscpcc.exe
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\winupdt.bin
C:\WINDOWS\SYSTEM32\exclean.exe
C:\WINDOWS\SYSTEM32\tsuninst.exe
C:\WINDOWS\SYSTEM32\Searchx.htm
C:\WINDOWS\SYSTEM\QBUninstaller.exe
C:\WINDOWS\SYSTEM32\CACHE\mswinstall.exe
C:\WINDOWS\cfgmgr52.ini


12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#9
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK. The computer looks a lot better. No more error message at startup.
While the Activescan was doing its thing, NAV appeared with a virus detection: bloodhound.exploit6 but could not remove it. THis was reported to be located on: c:\archivos de programa\Hijackthis\backups\BA3C16~1. I checked the log and found this was detected at other files at the same location.

About C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1100.dll
I could not find this one but the Activescan stills report it.

Here are the logs:
Logfile of HijackThis v1.99.1
Scan saved at 4:45:11, on 26/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Archivos de programa\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe
C:\Archivos de programa\Lexmark X6100 Series\lxbfbmon.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe
C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [LaunchApp] LaunApp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Archivos de programa\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [msnappau] "C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AC2CD8BB-8E60-45B4-B415-1EB1C04E7753} (SAFELAYER FormSign Control) - https://www.sabadell...formSign001.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Archivos de programa\TightVNC\WinVNC.exe" -service (file missing)

----------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 4:02:25, 26/07/2005
+ Report-Checksum: 6E0CCB40

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E} -> Spyware.UCmore : Error durante limpieza
HKLM\SOFTWARE\Classes\CLSID\{99410CDE-6F16-42ce-9D49-3807F78F0287} -> Spyware.Zango : Error durante limpieza
HKLM\SOFTWARE\Classes\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A} -> Spyware.HotBar : Error durante limpieza
HKLM\SOFTWARE\Classes\CLSID\{FAA356E4-D317-42a6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Error durante limpieza
C:\files by nacho\l2mfix\l2mfix\backup.zip/odengl32.dll -> Spyware.Look2Me : Limpio con backup
C:\files by nacho\l2mfix\l2mfix\backup.zip/damodemx.dll -> Spyware.Look2Me : Limpio con backup
C:\files by nacho\l2mfix\l2mfix\backup.zip/nxdll.dll -> Spyware.Look2Me : Limpio con backup


::Fin Report

-----------------------------------------------------------------------------------------------

Incident Status Location

Adware:adware/portalscan No disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/elitebar No disinfected C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\Finances & Business
Adware:adware/bookedspace No disinfected C:\WINDOWS\bsx32
Adware:adware/consumeralertsystemNo disinfected HKEY_CURRENT_USER\SOFTWARE\CAS
Adware:adware/pacimedia No disinfected HKEY_CURRENT_USER\SOFTWARE\PSOF1
Adware:adware/sqwire No disinfected HKEY_CURRENT_USER\SOFTWARE\TSL2
Adware:adware/bigtrafficnet No disinfected HKEY_CLASSES_ROOT\BTNETW.AMO.1
Spyware:spyware/bargainbuddy No disinfected HKEY_CLASSES_ROOT\CB.URLCATCHER.1
Adware:adware/apropos No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\APRPS
Adware:adware/searchtheweb No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MSW
Adware:adware/ucmore No disinfected HKEY_CLASSES_ROOT\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}
Adware:adware/ncase No disinfected HKEY_CLASSES_ROOT\CLSID\{99410CDE-6F16-42CE-9D49-3807F78F0287}
Adware:adware/virtualbouncer No disinfected HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}
Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}
Spyware:spyware/safesurf No disinfected HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}
Spyware:spyware/istbar No disinfected HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42A6-AB41-A3021C6E7D52}
Adware:adware/addestroyer No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ADDESTROYER
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/sidefind No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{10E42047-DEB9-4535-A118-B3F6EC39B807}
Adware:adware/cws No disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\DAML7NPY\drugs-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\drugs[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\casino[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\WE3TQGQN\casino-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\71KJXOW7\virus[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\71KJXOW7\fav-ico[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\fav[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\config\systemprofile\Configuración local\Archivos temporales de Internet\Content.IE5\A3EZACCF\dating-ico[1].bmp
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1100.dll
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
These files: C:\archivos de programa\Hijackthis\backups\BA3C16~1
Are just the bad files that we disabled in HiJackThis and they are not a threat. You can actually delete them when we are done :tazz:

Please remove the following folders using Windows Explorer (if present):

C:\DOCUMENTS AND SETTINGS\ADMIN\FAVORITOS\Finances & Business
C:\WINDOWS\bsx32
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\SYSTEM32\winupdt.008
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1100.dll

reboot

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme2.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[-HKEY_CURRENT_USER\SOFTWARE\CAS]

[-HKEY_CURRENT_USER\SOFTWARE\PSOF1]

[-HKEY_CURRENT_USER\SOFTWARE\TSL2]

[-HKEY_CLASSES_ROOT\BTNETW.AMO.1]

[-HKEY_CLASSES_ROOT\CB.URLCATCHER.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\APRPS]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MSW]

[-HKEY_CLASSES_ROOT\CLSID\{44BE0690-5429-47F0-85BB-3FFD8020233E}]

[-HKEY_CLASSES_ROOT\CLSID\{99410CDE-6F16-42CE-9D49-3807F78F0287}]

[-HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}]

[-HKEY_CLASSES_ROOT\CLSID\{DC341F1B-EC77-47BE-8F58-96E83861CC5A}]

[-HKEY_CLASSES_ROOT\CLSID\{F79A2C4B-8776-4ED7-8B2F-4786A4A3500A}]

[-HKEY_CLASSES_ROOT\CLSID\{FAA356E4-D317-42A6-AB41-A3021C6E7D52}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ADDESTROYER]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST]

[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EXTENSIONS\CMDMAPPING\{10E42047-
DEB9-4535-A118-B3F6EC39B807}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807}]



Locate fixme2.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in: dumpreg
  • Click "ok", then reboot
Run Clean up! then reboot.
  • Please click this link to download Silent Runners.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
  • Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

  • NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
    For some time it will look like nothing is happening. Just keep waiting.
  • Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here

  • 0

Advertisements


#11
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"esevau" = "C:\WINDOWS\System32\esevau.exe" [file not found]
"nokouttwtl.exe" = "C:\WINDOWS\system\nokouttwtl.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"CTFMON.EXE" = "C:\WINDOWS\System32\ctfmon.exe" [MS]
"Yahoo! Pager" = "C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet" [file not found]
"MsnMsgr" = ""C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LaunchApp" = "LaunApp" ["Wistron Corp."]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"SynTPLpr" = "C:\Archivos de programa\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"AcerNotebookManager" = "C:\Archivos de programa\Acer\Notebook Manager\almxptray.exe" ["Acer"]
"WinVNC" = ""C:\Archivos de programa\TightVNC\WinVNC.exe" -servicehelper" ["AT&T Research Labs Cambridge"]
"Lexmark X6100 Series" = ""C:\Archivos de programa\Lexmark X6100 Series\lxbfbmgr.exe"" ["Lexmark International, Inc."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe" ["HP"]
"HP Component Manager" = ""C:\Archivos de programa\HP\hpcoretech\hpcmpmgr.exe"" ["Hewlett-Packard Company"]
"HP Software Update" = ""C:\Archivos de programa\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"ccApp" = ""C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"SSC_UserPrompt" = "C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"msnappau" = ""C:\Archivos de programa\MSN Apps\Updater\01.02.3000.1001\es-us\msnappau.exe"" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Extensión de paneo de pantalla del Panel de control"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "Extensión de icono de HyperTerminal"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\Office\3082\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\ARCHIV~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
nqyggxyt\(Default) = "{6cf431d6-c651-4391-9b29-e15e86b2da37}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nbadd.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\admin\Datos de programa\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\acer.scr" [null data]


Startup items in "admin" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Menú Inicio\Programas\Inicio
"Microsoft Office" -> shortcut to: "C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Archivos de programa\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer - admin" -> launches: "C:\ARCHIV~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Datos de programa\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}" = "MSN" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Archivos de programa\MSN Apps\MSN Toolbar\01.02.4000.1001\es-us\msntb.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Archivos de programa\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Archivos de programa\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Archivos de programa\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Archivos de programa\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Archivos de programa\Archivos comunes\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Archivos de programa\Archivos comunes\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
VNC Server, winvnc, ""C:\Archivos de programa\TightVNC\WinVNC.exe" -service" ["AT&T Research Labs Cambridge"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 49 seconds, including 18 seconds for message boxes)
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme3.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at above REGEDIT 4.


REGEDIT4

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\]
"esevau"=-
"nokouttwtl.exe"=-



Locate fixme3.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".

Reboot.


Everything looks good, are you haveing any more troubles?


Excal
  • 0

#13
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I think it's over.
I just wonder if I must uninstall everything we've installed...
Should I keep ewido instead of NAV???

Thanks for the help!!!
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
I wouldn't uninsatll NAV. Ewido is an active Virus scanner, it jsut supplements one.

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#15
jediknight

jediknight

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Thanks for the tips/advice!!!
I'll sure update this notebook right away.
hope this will not happen again!
Best.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP