Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virus Problems [RESOLVED]

Started by Gazza G , Jul 30 2005 07:59 AM

  • This topic is locked This topic is locked

#1
Gazza G
Posted 30 July 2005 - 07:59 AM

Gazza G

    Member

  • Member
  • PipPip
  • 47 posts
2 Days ago, my laptop got infected with a virus. I noticed that PSGuard had been added to my desktop, so I googled it and found this site. Thank god for that ;):D:D

It took control of my desktop background, and removed the tabs to change it back in the display settings. My homepage was set to about:blank, which was a search page. I also had a small bubble on the bottom left near the time, which said that I might be infected... I removed some new programs I found using the add/remove programs, downloaded Microsoft Antispyware beta, ran it and found 5 things, which I removed. Then I followed the 5 steps on this site, downloading CWShredder and ewido. CWShredder found one object, which was removed. Ewido found 9 infections which were deleted, plus many others which were cleaned. Then I was able to see all the tabs in display, and my browser was back to normal. Also the pop ups I had been getting stopped. I rebooted, everything was back to normal. I re-scanned with ewido, and it picked up one object. Plus, microsoft antispyware keeps notifying me of another object trying to save itself in my registry.

So my current problem: Everytime I logon and run a scan, one file is infected, plus another keeps trying to get into my registy. The scan log from ewido:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup

C:\WINNT\system32\__delete_on_reboot__intell32.exe -> Trojan.Small.ev : Cleaned with backup

The trojan.agent.eo is the one always picked up by ewido at the start of a scan, and the intell32 is the one that keeps trying to get to my registry, being picked up by both ewido and micrsoft antispyware about 5 minutes after loggin on.

How can I stop these from re-appearing???

I have Windows 2000 with Service Pack 3.

I will post a HJT log in 1 minute, I'll close everything down first.

Thanks in advance, Gazza.


NOTE: This is my fathers work laptop, so there is a lot of software and processes running that might not normally be found on a normal home users PC :) I can check if the process running is from legitimate software if you want.






**EDIT** I posted twice, then realised about replying to the post means it wont show up in the un-answered topics :tazz: I've attached the log to this post, so hopefully an admin can delete the second post :(

Logfile of HijackThis v1.99.1
Scan saved at 14:55:05, on 30/07/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\HJT\HJT.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\se.dll/space.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurotopecoches\local.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122538746338
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = azlan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = azlan.co.uk,azlan.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (Mcshield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Net MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)





Another thing I just noticed: I closed all my internet browsers before running this, then opened one again. The intell32 alert came back again as soon as I opened it, showing up on both ewido and anti-spyware again.

Also, this was after the scans removed the viruses. I could run it before removing the viruses next time I log on?


**END OF EDIT** :(

Edited by Gazza G, 30 July 2005 - 10:12 AM.

  • 0

Advertisements

#2
Gazza G
Posted 30 July 2005 - 08:04 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
** Please delete this post :tazz:

Edited by Gazza G, 30 July 2005 - 10:16 AM.

  • 0

#3
greyknight17
Posted 30 July 2005 - 10:24 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No worries on that now. I'm subscribed to this topic :tazz:

Download CWShredder http://www.greyknigh.../CWShredder.exe

Right click a blank part of your desktop & select New->Folder. Call it SPFix. Go to http://www.derbilk.de/404.html and download SpSeHjfix. Get the one that's specified for your Operating System. So if you have Windows 98, get the one that's listed for Windows 98.

Disconnect from the net and close all programs. Run SpSeHjfix and click on 'Start Disinfection'. When it's finished it will reboot your machine to finish the cleaning process. The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers it will say system clean and not go on to next stage.

Now run the CWShredder and hit the Fix button.

Reboot and post a fresh HijackThis log and the log that was created by SpSeHjfix.
  • 0

#4
Gazza G
Posted 30 July 2005 - 11:08 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Sorry for the delay, slow laptop :tazz:

I've already got CWShredder, and downloaded the SPFix.

I ran SPFix, and got the log. I ran CWShredder, and it found nothing. I also ran ewido again, and got the same infected file. Also, when I opened my internet browser, the file warning came up again, as before. Logs from SPFix, ewido and HJT are below:

*When my computer rebooted after SPFix, it opened up again as soon as I logged on, and said that it would go through step one and reboot. Having done this, I closed it, as I thought it would have said step two if there was anything wrong. I can re-do this if I need to.


SPFix:

(7/30/05 17:22:24) SPSeHjFix started v1.1.2
(7/30/05 17:22:24) OS: Win2000 Service Pack 3 (5.0.2195)
(7/30/05 17:22:24) Language: english
(7/30/05 17:22:24) Win-Path: C:\WINNT
(7/30/05 17:22:24) System-Path: C:\WINNT\System32
(7/30/05 17:22:24) Temp-Path: C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\
(7/30/05 17:22:32) Disinfection started
(7/30/05 17:22:32) Bad-Dll(IEP): c:\docume~1\steven~1\locals~1\temp\se.dll
(7/30/05 17:22:32) UBF: 7 - UBB: 0 - UBR: 6
(7/30/05 17:22:32) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(7/30/05 17:22:32) UBF: 7 - UBB: 0 - UBR: 5
(7/30/05 17:22:32) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\steven~1\locals~1\temp\se.dll/space.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
(7/30/05 17:22:32) Stealth-String not found
(7/30/05 17:22:33) File added to delete: c:\docume~1\steven~1\locals~1\temp\se.dll
(7/30/05 17:22:33) Reboot


(7/30/05 17:27:17) SPSeHjFix started v1.1.2
(7/30/05 17:27:17) OS: Win2000 Service Pack 3 (5.0.2195)
(7/30/05 17:27:17) Language: english
(7/30/05 17:27:17) Win-Path: C:\WINNT
(7/30/05 17:27:17) System-Path: C:\WINNT\System32
(7/30/05 17:27:17) Temp-Path: C:\DOCUME~1\STEVEN~1\LOCALS~1\Temp\







---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:37:39, 30/07/2005
+ Report-Checksum: 35643337

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup


::Report End


Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 17:38:56, on 30/07/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\HJT\HJT.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurotopecoches\local.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122538746338
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = azlan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = azlan.co.uk,azlan.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (Mcshield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Net MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)





One other thing is the virus changed all my backgrounds to black, including the one behind the logon screen, where you press CTRL + ALT+DEL. How can I change this back? Where are the settings for this?
  • 0

#5
Gazza G
Posted 30 July 2005 - 11:09 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Also, I noticed Intell32 keeps adding itself to my startup list, so I keep removing it. Should I leave it?
  • 0

#6
greyknight17
Posted 30 July 2005 - 08:43 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. I don't see any signs of it, but let's remove that background problem since the description you gave me indicates that this is smitfraud doing it's job.

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete this file if found -> C:\WINNT\System32\r_server.exe

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#7
Gazza G
Posted 31 July 2005 - 05:24 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Fileplanet download control class - I believe that is legitimate, something useful. Fileplanet are a games downloads site, and to download you need an activex cloass. However, I'll delete it for now, as I can get it back again easily. Just downloaded smitrem and adaware, gonna reboot to safe mode....
  • 0

#8
Gazza G
Posted 31 July 2005 - 07:29 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I chose fix checked on both objects in hijackthis, rescanned and the remote admin sever one was still there. Could this be something useful? As this is a work laptop, remote admin may be something the company have put on here.

I ran smitrem, it changed one file. It reset my desktop setting to blue, like it said, however to check if it has done it for the login screen I'll need to reboot.

I ran adaware,and it picked up something like 90 things, most of them PSGuard registry keys. I selected them all and quarantined them, then clicked next and it removed them.

Next was ewido, nothing was found.

Display ---> Web - Security Info

Web wasn't in the display controls in safe mode, but is now and security info isn't there.

I'm just about to run the panda scan, but here are the current logs:

*No ewido as nothing was found

SMITREM:


smitRem log file
version 2.2

by noahdfear

The current date is: Sun 31/07/2005
The current time is: 12:58:26.35

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

cars


~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~




ADAWARE:


Ad-Aware SE Build 1.06r1
Logfile Created on:31 July 2005 13:05:17
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R58 28.07.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Alexa(TAC index:5):1 total references
Ebates MoneyMaker(TAC index:4):1 total references
Malware.Psguard(TAC index:7):90 total references
Tracking Cookie(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R58 28.07.2005
Internal build : 68
File location : C:\Documents and Settings\steven cutler\Desktop\Adaware\Ad-Aware
SE Personal\defs.ref
File size : 504264 Bytes
Total size : 1520233 Bytes
Signature data size : 1487665 Bytes
Reference data size : 32056 Bytes
Signatures total : 42386
CSI Fingerprints total : 982
CSI data size : 34567 Bytes
Target categories : 15
Target families : 720


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium III
Memory available:58 %
Total physical memory:261616 kb
Available physical memory:150308 kb
Total page file size:625076 kb
Available on page file:551424 kb
Total virtual memory:2097024 kb
Available virtual memory:2044456 kb
OS:Microsoft Windows 2000 Professional Service Pack 3 (Build 2195)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


31-07-2005 13:05:17 - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 148
ThreadCreationTime : 31-07-2005 11:48:07
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 31-07-2005 11:48:36
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 196
ThreadCreationTime : 31-07-2005 11:48:38
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 220
ThreadCreationTime : 31-07-2005 11:48:40
BasePriority : Normal
FileVersion : 5.00.2195.3940
ProductVersion : 5.00.2195.3940
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINNT\system32\
ProcessID : 232
ThreadCreationTime : 31-07-2005 11:48:40
BasePriority : Normal
FileVersion : 5.00.2195.5960
ProductVersion : 5.00.2195.5960
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINNT\system32\
ProcessID : 380
ThreadCreationTime : 31-07-2005 11:48:45
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe

#:7 [winmgmt.exe]
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 468
ThreadCreationTime : 31-07-2005 11:48:48
BasePriority : Normal
FileVersion : 1.50.1085.0070
ProductVersion : 1.50.1085.0070
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright © Microsoft Corp. 1995-1999

#:8 [explorer.exe]
FilePath : C:\WINNT\
ProcessID : 492
ThreadCreationTime : 31-07-2005 11:52:41
BasePriority : Normal
FileVersion : 5.00.3502.5321
ProductVersion : 5.00.3502.5321
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE

#:9 [ad-aware.exe]
FilePath : C:\Documents and Settings\steven cutler\Desktop\Adaware\Ad-Aware SE Personal\
ProcessID : 608
ThreadCreationTime : 31-07-2005 12:04:36
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{04f3168f-5afc-4531-b3b4-16ca93720415}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{057e242f-2947-4e0a-8e61-a11345d97ea6}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{187a8428-bd94-470d-a178-a2347f940519}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{2865930b-4588-4ff3-8227-6d4f66c92c7a}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{2fe2edc0-9e62-4f34-8a73-bc66dae48ef3}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{357a87ed-3e5d-437d-b334-deb7eb4982a3}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3a3a8c24-8ff0-4140-9731-54d9483ea70b}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3a906593-b4bd-48ed-84b0-3249bed65ef9}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{49b72a72-01f5-4ae8-bbd7-daa67f1e303b}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6ae3aca6-1be3-4443-98dd-effcfa793d35}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{787dec39-69d0-40b3-b173-e0411c59b300}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{79ddf2ef-d881-464b-b2af-5af8816a3964}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{813c8e86-4c90-4617-b59e-e130cc068140}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{89133bce-57d0-4d2b-afaf-a97b74ad704e}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{8f40cc34-fe77-4618-aa3d-bd2efacaa8dc}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{9f89e240-06a6-4e1c-ba84-f267de7db391}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b60a0e56-548d-40ae-9383-d752531f653f}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b67b0756-2528-4996-b4bd-c993614cc0b6}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{bcc51ea9-6340-4ebe-8736-13a752ecb0be}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{e9719d38-ec55-4c8b-9df0-080ade95a9fa}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f4b3e25a-33b4-4647-9a78-b627dde211a6}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{08101c3e-6c90-439e-9734-6e4dd1b53b69}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{09b90087-4ffa-4a44-be69-da117a710f07}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1449f89c-ad28-427a-97ff-1d5bd812ea43}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1c08d3d0-1e04-4dde-ab0a-75355ea2585e}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{206538f7-f98c-4a46-a7d4-4a37fcdc932b}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{20f8b70d-9f16-4dcb-8788-90a0498e46b9}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{28fedb90-53c7-4928-994a-cee782606507}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{2c462d06-3ba0-48bb-9282-bb6519fe86e9}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{3a350193-c7f7-4e10-b347-02ff4c3cc4e9}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{4723879b-8f52-4be7-9994-626afa539366}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{7b6a3434-8625-4abf-b79d-09d98c2498c4}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8b6c0168-baac-4c7c-911e-0132590f5661}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{8ec33b7d-9953-4edb-ace2-d4c105968601}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a00e2305-7001-4200-ba00-5779f9a3e7d3}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a20f5672-7486-4d27-bd2b-e555e4692c5f}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a917b2f3-a9bf-477c-a0e3-0382d0376159}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b26b5883-f15f-4283-b3d5-a1728077de47}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b803d266-a08d-4a4c-9604-6d35689abe09}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{c6e2a22c-b3a8-43a4-b5ec-a5bb671ab3f7}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{cb9385ab-8541-4b2f-a363-48f64c612993}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{cf1674cc-ec9a-4aee-996e-65a8f7c0b0e4}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{d5d6e9b5-30d5-4457-ac8b-399205f50411}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{d6a7d177-0b2f-4283-b2e8-b6310a45e606}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{e0d6c30a-b9a3-4181-8099-3b0d5a2b98af}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f100a342-3ac5-47ff-b5b3-fcdb6fc9f016}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f4364eec-31f5-4b8b-a7e0-3b6394c9d23f}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{982392f9-9c65-48b4-b667-3459c46630d1}

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{f61d1ce1-5199-4b57-b59e-c6819ea92f3b}

Alexa Object Recognized!
Type : RegValue
Data :
TAC Rating : 5
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-19228943-1717525916-1086793644-3749\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
TAC Rating : 4
Category : Data Miner
Comment : "{7F241C00-DAB6-11d5-AAA8-0001028DF1BC}"
Rootkey : HKEY_USERS
Object : S-1-5-21-19228943-1717525916-1086793644-3749\software\microsoft\internet explorer\extensions\cmdmapping
Value : {7F241C00-DAB6-11d5-AAA8-0001028DF1BC}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 51
Objects found so far: 51


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 51


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : steven cutler@apmebf[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:steven [email protected]/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 52



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 52


Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 52




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.foundcollection

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.foundcollection.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.foundobject

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.foundobject.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.killedprocessescollection

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.killedprocessescollection.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.killedprocessinfo

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.killedprocessinfo.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.license

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.license.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.options

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.options.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.quarantine

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.quarantine.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.realtime

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.realtime.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.rtobject

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.rtobject.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.safemode

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.safemode.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.scaner

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.scaner.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.scanstatistic

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.scanstatistic.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.theapp

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.theapp.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.update

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.update.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.updateinfo

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.updateinfo.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.versioninfo

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : avecore.versioninfo.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.window

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.window.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.windowcollection

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.windowcollection.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.windowlayer

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : wndlayer.windowlayer.1

Malware.Psguard Object Recognized!
Type : Regkey
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\shudderltd

Malware.Psguard Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_CURRENT_USER
Object : software\microsoft\internet explorer\desktop\general
Value : Wallpaper

Malware.Psguard Object Recognized!
Type : RegValue
Data :
TAC Rating : 7
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\main
Value : Display Inline Images

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 41
Objects found so far: 93

13:12:37 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:07:20.113
Objects scanned:88349
Objects identified:93
Objects ignored:0
New critical objects:93




**EDIT: It pasted the logs twice for some reason :tazz:

Edited by Gazza G, 31 July 2005 - 07:40 AM.

  • 0

#9
Gazza G
Posted 31 July 2005 - 07:36 AM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
Forgot to do this.. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 14:24:58, on 31/07/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\HJT\HJT.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurotopecoches\local.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122538746338
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = azlan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = azlan.co.uk,azlan.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (Mcshield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Net MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

As far as I can see, everything's ok now. Allthe effects have gone. I'm gonna reboot, check if the login screens background has changed. I've not had the intell32 problem anymore, and I think the other one that ewido always picked up has gone ;)

Edited by Gazza G, 31 July 2005 - 07:41 AM.

  • 0

#10
greyknight17
Posted 31 July 2005 - 10:49 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please do NOT post the Ad-aware log here. We rarely ask for it at all since it takes up so much space. Just remove what it finds and you should be ok with that step.

Check and fix this in HijackThis:

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)

Delete C:\WINNT\System32\r_server.exe

See if you can find and delete oleext.dll also.

Restart and post a new HijackThis log.

How about the Panda scan? What did it find? Please post the log here for Panda ActiveScan also.
  • 0

Advertisements

#11
Gazza G
Posted 31 July 2005 - 03:54 PM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I couldn't do the panda scan before, I only just realised why: I'd blocked all activex controls. So I changed them to prompt, and it's working. I cannot find either of the two files to delete. Also, when I fixed that in HJT earlier, it reappeared afterwards, I ran another scan. I'll try it again and post the log.
  • 0

#12
Gazza G
Posted 31 July 2005 - 04:08 PM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I'm having no luck with Panda scan. It gets to the end of the loading bar, then just stops? I've tried it a couple of times now.

As for HJT:

I tried fixing the r_server several times now. Whenever I run a scan afterwards, it's still there.

Logfile of HijackThis v1.99.1
Scan saved at 23:00:37, on 31/07/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\HJT\HJT.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: IGMPv3 Lite Daemon.lnk = C:\Program Files\Cisco Systems\IPTV Viewer\hsildw32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PowerPanel.lnk = C:\Program Files\PowerPanel\PROGRAM\PcfMgr.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O9 - Extra button: Todo Coches - {AF0828BC-CB46-4C8D-95B6-8A7C4988F9FF} - c:\eurotopecoches\local.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122538746338
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = azlan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = azlan.co.uk,azlan.com
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Documents and Settings\steven cutler\Desktop\Smaz\New Folder\Kerio Firewall\Personal Firewall 4\kpf4ss.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (Mcshield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Net MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\Net MD Simple Burner\NetMDSB.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\System32\r_server.exe" /service (file missing)
  • 0

#13
greyknight17
Posted 31 July 2005 - 05:00 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Go to Start->Run and type in services.msc and hit OK. Then look for Remote Administrator Service (r_server) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#14
Gazza G
Posted 31 July 2005 - 07:59 PM

Gazza G

    Member

  • Topic Starter
  • Member
  • PipPip
  • 47 posts
I've disabled Remote Administrator Service from safe mode. But I just found a .txt file in my C: drive, that's called radmin. I opened it, and it contained a list of dates, saying 'Remote Administrator sever is started. These date back to 2003, when I think this laptop was first bought.

"2003.06.16 07:57 Remote Administrator server is started
2003.06.24 09:13 Remote Administrator server is started
2003.06.26 09:14 Remote Administrator server is started"

Do you think that is related to the r_admin service?

Also, the logs...

Noticed this while it was scanning...

Mon Aug 01 01:04:39 2005 => ERROR!!! Invalid Entry "C:\WINNT\System32\r_server.exe" /service in SYSTEM\CurrentControlSet\Services\r_server...




Mon Aug 01 02:31:18 2005 => ***** Checking for specific ITW Viruses *****
Mon Aug 01 02:31:18 2005 => Checking for Welchia Virus...
Mon Aug 01 02:31:18 2005 => Traces of "Welchia" found and cleaned !!! <===
Mon Aug 01 02:31:18 2005 => Checking for LovGate Virus...
Mon Aug 01 02:31:18 2005 => Checking for CodeRed Virus...
Mon Aug 01 02:31:19 2005 => Checking for OpaServ Virus...
Mon Aug 01 02:31:19 2005 => Checking for Sobig.e Virus...
Mon Aug 01 02:31:19 2005 => Checking for Winupie Virus...
Mon Aug 01 02:31:19 2005 => Checking for Swen Virus...
Mon Aug 01 02:31:19 2005 => Checking for JS.Fortnight Virus...
Mon Aug 01 02:31:19 2005 => Checking for Novarg Virus...
Mon Aug 01 02:31:19 2005 => Checking for Pagabot Virus...
Mon Aug 01 02:31:19 2005 => Checking for Parite.b Virus...
Mon Aug 01 02:31:19 2005 => Checking for Parite.a Virus...
Mon Aug 01 02:31:19 2005 => Checking for Adware.SeekSeek Virus...
Mon Aug 01 02:31:19 2005 => ***** Scanning complete. *****
Mon Aug 01 02:31:19 2005 => Total Objects Scanned: 55168
Mon Aug 01 02:31:19 2005 => Total Virus(es) Found: 7
Mon Aug 01 02:31:19 2005 => Total Disinfected Files: 0



File C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\Mario V1.1.exe infected by "P2P-Worm.Win32.Franvir" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\mario.zip infected by "P2P-Worm.Win32.Franvir" Virus! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\FilePlanetDownloadCtrl.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\r_server.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\raddrv.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\System32\ACrd10SM.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Sony Shared\OpenMG\ekb\newekb021224.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\FilePlanetDownloadCtrl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A0A-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A18-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{000C0A19-0000-0000-C000-000000000046}" refers to invalid object "pj8od8.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0E6178B0-2533-11d4-8A2B-0090271D4F88}" refers to invalid object "C:\Program Files\Yahoo!\Messenger\messmod.dll". Action Traces of "Welchia" found and cleaned !!!
  • 0

#15
greyknight17
Posted 31 July 2005 - 08:07 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Delete these two files:

C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\Mario V1.1.exe
C:\Documents and Settings\steven cutler\Desktop\Smaz\BOR\mario.zip

I think you should be clear now.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP