Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan HORSE [resolved]


  • This topic is locked This topic is locked

#1
RCOLF

RCOLF

    Member

  • Member
  • PipPip
  • 17 posts
Mzs.SpoolServer32 can't seem to delete from system. I have followed all your suggested steps to clean the system, but this particular program keeps coming back. following is my Hijack this log.

thanks
RCOLF


Logfile of HijackThis v1.99.1
Scan saved at 12:05:05 PM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\system32\mdms.exe
C:\WINDOWS\System32\icasServ.exe
C:\Program Files\Aluria Security Center\SecurityCenter.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\w?nword.exe
C:\Program Files\csaa\srai.exe
C:\PROGRA~1\ALURIA~1\asKernel.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\HijackThis App\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.psndeale...ers/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {39527252-0ACF-4C63-E19C-271414330432} - driver64.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINDOWS\system32\appwiz.dll
O2 - BHO: (no name) - {A49D52DA-0E37-F870-F96F-AAD49BE4AC3F} - C:\WINDOWS\System32\CZ6vtx3H.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: (no name) - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - (no file)
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0614NetInstaller.exe"/BEFOREINSTALL
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [dialer423] barint.exe
O4 - HKLM\..\Run: [keybdll] sound64.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [dmypl.exe] C:\WINDOWS\System32\dmypl.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [Gqy] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [WareOut] "C:\Program Files\WareOut\WareOut.exe"
O4 - HKCU\..\Run: [keybdll] MON76234.exe
O4 - HKCU\..\Run: [SAPSTR] TRPT.exe
O4 - HKCU\..\Run: [XTermInit] init32.exe
O4 - HKCU\..\Run: [Uahe] C:\Program Files\csaa\srai.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.edcor.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: www.triumphonline.net
O15 - Trusted Zone: *.xmradio.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: http://67.19.178.84
O16 - DPF: {171B10C1-475C-11D4-8E21-005004718DC0} (Project1.UserControl1) - https://www.scat.suz.../cab/Prjaos.CAB
O16 - DPF: {2345F907-F5CF-11D3-8E1F-005004718DC0} (scatdp2a.clsSuzuki) - https://www.scat.suz...ab/scatdp2a.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {2D361311-74CA-11D2-B3F4-0060083BE8BF} (scatdp2.clsSuzuki) - https://www.scat.suz...cab/Scatdp2.CAB
O16 - DPF: {399548B6-253E-11D2-BE13-000000000000} (VPEngine ActiveX Control Class) - https://www.scat.suz...ab/vpectrl3.cab
O16 - DPF: {43241AD9-3A89-4815-9A9C-7D9B549AA13A} (prjEmptyRegular.ctlatRegular) - https://www.scat.suz...cab/prj481E.CAB
O16 - DPF: {531CD468-D7BF-11D3-9261-00104B6943CA} (Scatdp4.clsSuzuki) - https://www.scat.suz...cab/scatdp4.cab
O16 - DPF: {71E098B7-728F-11D2-B3F4-0060083BE8BF} (Scatdp1.clsSuzuki) - https://www.scat.suz...cab/Scatdp1.CAB
O16 - DPF: {87FA653D-4C13-11D3-8E1F-005004718DC0} (ScatUpdater.Updater) - https://www.scat.suz...ScatUpdater.CAB
O16 - DPF: {8EBAC640-ECA5-404C-AFD9-18D61BE4AF82} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.cab
O16 - DPF: {915DB736-2591-11D3-8E1F-005004718DC0} (Scatdp3.clsSuzuki) - https://www.scat.suz...cab/scatdp3.cab
O16 - DPF: {AABEE018-FF3D-11D3-8E1F-005004718DC0} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.CAB
O16 - DPF: {CBCF1FEA-4905-11D4-8E21-005004718DC0} (w281ctlE.ctlW281E) - https://www.scat.suz...ab/w281ctlE.CAB
O16 - DPF: {D4C4A875-FD4E-11D4-AC39-00010262094C} (Scatdp1a.clsSuzuki) - https://www.scat.suz...ab/Scatdp1a.cab
O16 - DPF: {EA712BDB-7FE5-11D3-8E1F-005004718DC0} (Project1.login) - https://www.scat.suz.com/cab/login.CAB
O16 - DPF: {F25620FB-9C81-11D1-BF85-0060083BE8BF} (Project1.ctlStatusBox) - https://www.scat.suz...riStatusBox.CAB
O16 - DPF: {FDC1DAA5-BC3E-11D2-B3F6-0060083BE8BF} (Scatchk1.ScatChk) - https://www.scat.suz...ab/Scatchk1.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: ST6UNST #1 - {8D566BFA-5C3C-50CC-3DEE-2CA0C22B42E8} - (no file)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - (no file)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Nobdci32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_7.dll (file missing)
O21 - SSODL: GxSCeZbh - {A49D52D4-0E37-F87E-3FEB-99E89BE4AC3C} - (no file)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~1\asKernel.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by coachwife6, 25 August 2005 - 05:42 PM.

  • 0

Advertisements


#2
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Hi rcolf. Sorry, it's taken so long. If you still need assistance, please run hijack this and post a new log in this thread and I'll look at it right away. :tazz:
  • 0

#3
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HI,
THANKS FOR HELPING OUT WITH MY PROBLEM. I APPRECIATE YOUR TIME SPENT.
FOLLOWING IS MY MOST RECENT HIJACKTHIS.LOG. I HAVE ALSO AS RECOMENEDED FOLLOWED ALL YOUR STEPS BEFORE HAND.

THANKS AGAIN
RCOLF



Logfile of HijackThis v1.99.1
Scan saved at 7:06:39 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALURIA~1\asKernel.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\icasServ.exe
C:\Program Files\Aluria Security Center\SecurityCenter.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\csaa\srai.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\HijackThis App\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.psndeale...ers/default.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [keybdll] sound64.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [dmypl.exe] C:\WINDOWS\System32\dmypl.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Gqy] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [keybdll] MON76234.exe
O4 - HKCU\..\Run: [SAPSTR] TRPT.exe
O4 - HKCU\..\Run: [XTermInit] init32.exe
O4 - HKCU\..\Run: [Uahe] C:\Program Files\csaa\srai.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: www.triumphonline.net
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: http://67.19.178.84
O16 - DPF: {171B10C1-475C-11D4-8E21-005004718DC0} (Project1.UserControl1) - https://www.scat.suz.../cab/Prjaos.CAB
O16 - DPF: {2345F907-F5CF-11D3-8E1F-005004718DC0} (scatdp2a.clsSuzuki) - https://www.scat.suz...ab/scatdp2a.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {2D361311-74CA-11D2-B3F4-0060083BE8BF} (scatdp2.clsSuzuki) - https://www.scat.suz...cab/Scatdp2.CAB
O16 - DPF: {399548B6-253E-11D2-BE13-000000000000} (VPEngine ActiveX Control Class) - https://www.scat.suz...ab/vpectrl3.cab
O16 - DPF: {43241AD9-3A89-4815-9A9C-7D9B549AA13A} (prjEmptyRegular.ctlatRegular) - https://www.scat.suz...cab/prj481E.CAB
O16 - DPF: {531CD468-D7BF-11D3-9261-00104B6943CA} (Scatdp4.clsSuzuki) - https://www.scat.suz...cab/scatdp4.cab
O16 - DPF: {71E098B7-728F-11D2-B3F4-0060083BE8BF} (Scatdp1.clsSuzuki) - https://www.scat.suz...cab/Scatdp1.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {87FA653D-4C13-11D3-8E1F-005004718DC0} (ScatUpdater.Updater) - https://www.scat.suz...ScatUpdater.CAB
O16 - DPF: {8EBAC640-ECA5-404C-AFD9-18D61BE4AF82} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.cab
O16 - DPF: {915DB736-2591-11D3-8E1F-005004718DC0} (Scatdp3.clsSuzuki) - https://www.scat.suz...cab/scatdp3.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AABEE018-FF3D-11D3-8E1F-005004718DC0} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.CAB
O16 - DPF: {CBCF1FEA-4905-11D4-8E21-005004718DC0} (w281ctlE.ctlW281E) - https://www.scat.suz...ab/w281ctlE.CAB
O16 - DPF: {D4C4A875-FD4E-11D4-AC39-00010262094C} (Scatdp1a.clsSuzuki) - https://www.scat.suz...ab/Scatdp1a.cab
O16 - DPF: {EA712BDB-7FE5-11D3-8E1F-005004718DC0} (Project1.login) - https://www.scat.suz.com/cab/login.CAB
O16 - DPF: {F25620FB-9C81-11D1-BF85-0060083BE8BF} (Project1.ctlStatusBox) - https://www.scat.suz...riStatusBox.CAB
O16 - DPF: {FDC1DAA5-BC3E-11D2-B3F6-0060083BE8BF} (Scatchk1.ScatChk) - https://www.scat.suz...ab/Scatchk1.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O21 - SSODL: ST6UNST #1 - {8D566BFA-5C3C-50CC-3DEE-2CA0C22B42E8} - (no file)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - (no file)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Nobdci32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_7.dll (file missing)
O21 - SSODL: GxSCeZbh - {A49D52D4-0E37-F87E-3FEB-99E89BE4AC3C} - (no file)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: asKernel - Unknown owner - C:\PROGRA~1\ALURIA~1\asKernel.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Wow, I don't even know where to start, but we'll take it one step at a time and it will be singing in no time. :tazz:

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = https://www.psndeale...ers/default.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [icasServ] C:\WINDOWS\System32\icasServ.exe
O4 - HKLM\..\Run: [keybdll] sound64.exe
O4 - HKLM\..\Run: [_Cat1] C:\WINDOWS\nmmst.exe
O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [dmypl.exe] C:\WINDOWS\System32\dmypl.exe
O4 - HKLM\..\Run: [hgqhp.exe] C:\WINDOWS\System32\hgqhp.exe

O4 - HKCU\..\Run: [Gqy] C:\WINDOWS\System32\w?nword.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [keybdll] MON76234.exe
O4 - HKCU\..\Run: [SAPSTR] TRPT.exe
O4 - HKCU\..\Run: [XTermInit] init32.exe
O4 - HKCU\..\Run: [Uahe] C:\Program Files\csaa\srai.exe
O4 - HKCU\..\Run: [SNInstall] C:\winstall.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE<<resource hog

O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted Zone: *.acura.com
O15 - Trusted Zone: *.ahm-ownerlink.com
O15 - Trusted Zone: *.ahmdealer.com
O15 - Trusted Zone: *.honda.com
O15 - Trusted Zone: *.hondacars.com
O15 - Trusted Zone: www.triumphonline.net
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: http://67.19.178.84

O16 - DPF: {171B10C1-475C-11D4-8E21-005004718DC0} (Project1.UserControl1) - https://www.scat.suz.../cab/Prjaos.CAB
O16 - DPF: {2345F907-F5CF-11D3-8E1F-005004718DC0} (scatdp2a.clsSuzuki) - https://www.scat.suz...ab/scatdp2a.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {2D361311-74CA-11D2-B3F4-0060083BE8BF} (scatdp2.clsSuzuki) - https://www.scat.suz...cab/Scatdp2.CAB
O16 - DPF: {399548B6-253E-11D2-BE13-000000000000} (VPEngine ActiveX Control Class) - https://www.scat.suz...ab/vpectrl3.cab
O16 - DPF: {43241AD9-3A89-4815-9A9C-7D9B549AA13A} (prjEmptyRegular.ctlatRegular) - https://www.scat.suz...cab/prj481E.CAB
O16 - DPF: {531CD468-D7BF-11D3-9261-00104B6943CA} (Scatdp4.clsSuzuki) - https://www.scat.suz...cab/scatdp4.cab
O16 - DPF: {71E098B7-728F-11D2-B3F4-0060083BE8BF} (Scatdp1.clsSuzuki) - https://www.scat.suz...cab/Scatdp1.CAB

O16 - DPF: {87FA653D-4C13-11D3-8E1F-005004718DC0} (ScatUpdater.Updater) - https://www.scat.suz...ScatUpdater.CAB
O16 - DPF: {8EBAC640-ECA5-404C-AFD9-18D61BE4AF82} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.cab
O16 - DPF: {915DB736-2591-11D3-8E1F-005004718DC0} (Scatdp3.clsSuzuki) - https://www.scat.suz...cab/scatdp3.cab
O16 - DPF: {AABEE018-FF3D-11D3-8E1F-005004718DC0} (ctlepc.scatepc) - https://www.scat.suz.../cab/ctlepc.CAB
O16 - DPF: {CBCF1FEA-4905-11D4-8E21-005004718DC0} (w281ctlE.ctlW281E) - https://www.scat.suz...ab/w281ctlE.CAB
O16 - DPF: {D4C4A875-FD4E-11D4-AC39-00010262094C} (Scatdp1a.clsSuzuki) - https://www.scat.suz...ab/Scatdp1a.cab
O16 - DPF: {EA712BDB-7FE5-11D3-8E1F-005004718DC0} (Project1.login) - https://www.scat.suz.com/cab/login.CAB
O16 - DPF: {F25620FB-9C81-11D1-BF85-0060083BE8BF} (Project1.ctlStatusBox) - https://www.scat.suz...riStatusBox.CAB
O16 - DPF: {FDC1DAA5-BC3E-11D2-B3F6-0060083BE8BF} (Scatchk1.ScatChk) - https://www.scat.suz...ab/Scatchk1.CAB

O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll

O21 - SSODL: ST6UNST #1 - {8D566BFA-5C3C-50CC-3DEE-2CA0C22B42E8} - (no file)
O21 - SSODL: SysTray.Exsh - {1768ECFC-4F5C-4f5b-B134-D67294FC78E9} - (no file)
O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\System32\Nobdci32.dll (file missing)
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_7.dll (file missing)
O21 - SSODL: GxSCeZbh - {A49D52D4-0E37-F87E-3FEB-99E89BE4AC3C} - (no file)

O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#5
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HI,

I THINK I HAVE PERFORMED ALL THE STEPS YOU ASKED. INCLUDED ARE ALL THE LOGS. IT IS STARTING TO LOOK ALOT BETTER.

THANK YOU
RCOLF


Logfile of HijackThis v1.99.1
Scan saved at 4:45:05 PM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis App\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [keybdll] sound64.exe
O4 - HKLM\..\Run: [dmomb.exe] C:\WINDOWS\System32\dmomb.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: http://67.19.178.84
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: tcpG4T - C:\WINDOWS\SYSTEM32\tcpG4T.dll
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/06/2005
The current time is: 14:58:27.79

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:



Incident Status Location

Adware:adware/ezula No disinfected C:\WINDOWS\SYSTEM32\ezPopStub.exe
Spyware:spyware/wareout No disinfected C:\WINDOWS\SYSTEM32\loadctr32.exe
Adware:adware/powersearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:adware/adsmart No disinfected C:\WINDOWS\SYSTEM32\vx.tll
Adware:adware/ipinsight No disinfected C:\WINDOWS\INF\polall1r.inf
Adware:adware program No disinfected C:\$$$_.log
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Adware:adware/azesearch No disinfected C:\WINDOWS\zsettings.dll
Adware:adware/wupd No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Program Files\csaa\srai.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\SplWbr.dll
  • 0

#6
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Run Hijack this and put a check mark next to these:

O4 - HKLM\..\Run: [keybdll] sound64.exe
O4 - HKLM\..\Run: [dmomb.exe] C:\WINDOWS\System32\dmomb.exe

O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: http://67.19.178.84


Reboot into safe mode and get rid of these files

sound64.exe
C:\WINDOWS\System32\dmomb.exe


Run CleanUp!

Please RIGHT-CLICK HERE to download Silent Runner's.
  • Save it to the desktop.
  • Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
  • You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
  • Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

#7
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HI COACHWIFE,

HERE IS THE LOG FROM SILENT RUNNER. THANK YOU FOR SINGING LESSON.


THANKS AGAIN
RCOLF

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"tgcmd" = (empty string)
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent" [MS]
"Mouse Suite 98 Daemon" = "ICO.EXE" [file not found]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"UC_SMB" = (empty string)

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cshtj.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

Aluria Security Center Spyware Eliminator Service, ASCService, "C:\Program Files\Aluria Security Center\ascserv.exe" [null data]
ASP.NET State Service, aspnet_state, "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe" [MS]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Logical Disk Manager Administrative Service, dmadmin, "C:\WINDOWS\System32\dmadmin.exe /com" ["Microsoft Corp., Veritas Software"]
MSSQL$HONDAEPC, MSSQL$HONDAEPC, "C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe -sHONDAEPC" [MS]
MSSQLServerADHelper, MSSQLServerADHelper, "C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe" [MS]
Portable Media Serial Number Service, WmdmPmSN, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\mspmsnsv.dll" [MS]}
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
SQLAgent$HONDAEPC, SQLAgent$HONDAEPC, "C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE -i HONDAEPC" [MS]
SymWMI Service, SymWSC, "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]
WMI Performance Adapter, WmiApSrv, "C:\WINDOWS\System32\wbem\wmiapsrv.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 143 seconds, including 18 seconds for message boxes)
  • 0

#8
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please download the Killbox by Option^Explicit.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C


C:\WINDOWS\SYSTEM32\tcpG4T.dll
C:\WINDOWS\SYSTEM32\ezPopStub.exe
C:\WINDOWS\SYSTEM32\loadctr32.exe
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\vx.tll
C:\WINDOWS\INF\polall1r.inf
C:\$$$_.log
C:\WINDOWS\rdt.ini
C:\WINDOWS\zsettings.dll
C:\Program Files\csaa\<<this folder
C:\WINDOWS\inf\polall1r.inf
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\Shex.exe
C:\WINDOWS\system32\SplWbr.dll


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After reboot, post a new HiJackThis log here.
  • 0

#9
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HELLO COACHWIFE,

HERE IS THE LATEST HIJACKTHIS LOG.


Logfile of HijackThis v1.99.1
Scan saved at 5:02:40 PM, on 8/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\HijackThis App\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




THANKS

RCOLF
  • 0

#10
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Reset your host file. Click Here to download HostsFileReader. To reset the host file to default, simply open the program, click the "reset default" button, and confirm the changes.

Give me another log and let me know how it's running. :tazz: You're doing awesome.

Edited by coachwife6, 08 August 2005 - 05:37 PM.

  • 0

Advertisements


#11
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HI COACHWIFE6

HERE IS MY VERY LATEST HIJACKTHIS.LOG. MY COMPUTER IS MUCH BETTER NOW, THANKS TO YOUR HELP. I FEEL WE ARE VERY CLOSE NOW.

Logfile of HijackThis v1.99.1
Scan saved at 12:46:07 PM, on 8/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE
C:\HijackThis App\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O11 - Options group: [JAVA_IBM] Java (IBM)
O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2345F907-F5CF-11D3-8E1F-005004718DC0} (scatdp2a.clsSuzuki) - https://www.scat.suz...ab/scatdp2a.cab
O16 - DPF: {297DE2B6-509A-4B36-93C5-A65276606900} (RRAAINAX_02.RRAAINAX) - http://www.in.honda....AX/RraainAX.CAB
O16 - DPF: {71E098B7-728F-11D2-B3F4-0060083BE8BF} (Scatdp1.clsSuzuki) - https://www.scat.suz...cab/Scatdp1.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\Program Files\Aluria Security Center\ascserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

THANK YOU,

RCOLF
  • 0

#12
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Run hijack this and put check marks next to these:

O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35

Reboot. If they are still there, Run the hosts fix I gave you earlier.

If they are still there after that:

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
  • 0

#13
RCOLF

RCOLF

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
HI COACHWIFE6

HERE YOU GO. THE LATEST LOG FROM SILENT RUNNERS.
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"tgcmd" = (empty string)
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent" [MS]
"Mouse Suite 98 Daemon" = "ICO.EXE" [file not found]
"IgfxTray" = "C:\WINDOWS\System32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"]
"ibmmessages" = "C:\Program Files\IBM\Messages By IBM\ibmmessages.exe" ["IBM"]
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"UC_SMB" = (empty string)
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cshtj.exe" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! tcpG4T\DLLName = "tcpG4T.dll" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG7\avgse.dll" ["GRISOFT, s.r.o."]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\CMS User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\sstext3d.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
MSSQL$HONDAEPC, MSSQL$HONDAEPC, "C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlservr.exe -sHONDAEPC" [MS]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
SQLAgent$HONDAEPC, SQLAgent$HONDAEPC, "C:\Program Files\Microsoft SQL Server\MSSQL$HONDAEPC\Binn\sqlagent.EXE -i HONDAEPC" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 10 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 11 seconds.
---------- (total run time: 104 seconds)

THANK YOU

RCOLF
  • 0

#14
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Still looking for a fix. You have a new and rather difficult infection. We're almost there.
  • 0

#15
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Click on start
Then click on run

Type in sc stop UDPservice

If the run box closes, open it up again.

Type in sc delete UDPservice

Open Windows Explorer and show hidden files.
Click on tools
Click on folder options
Click on the view tab
Select Show all Files and Folders
Be sure to change this setting back after you are done working with your computer.

Then delete the following files.


c:\windows\system32\tcpG4T.dll
c:\windows\system32\msudp4.sys



Reboot your computer into normal Windows.

Please reopen HiJackThis and scan your computer. Please place a check mark next to the following entries. Be sure to select only the entries that are listed below, as deleting the wrong file could cause harm to your system.

O15 - Trusted Zone: *.164.109.25.72
O15 - Trusted Zone: *.207.130.86.35

O20 - Winlogon Notify: tcpG4T - tcpG4T.dll (file missing)

Run CleanUp!

thanks to Atribune! :tazz: for the suggestions and Justin too.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP