Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/Redirects IE 6.0 XP


  • Please log in to reply

#1
TomTomTom

TomTomTom

    Member

  • Member
  • PipPip
  • 60 posts
I started getting a new search toolbar that was obviously spyware and a new icon on my desktop. AdAware got rid of it. But after reboot, when I do a Yahoo search and click on a result link, it takes me to a new set of results in Lycos. The same search results, only Lycos's version. I've tried AdAwre, CWSHREDDER, Trend, Search&Destroy, and even ToolbarCop. I've been deleting files for over a week, but they and similar ones come back.
My system is getting slower, and now I am getting redirecting to all kinds of sites, not just Lycos.
here is my Hijack This file. Thanks!!

I am no expert, but not quite a novice either, so if there is more info I can provide, please let me know.

Logfile of HijackThis v1.99.1
Scan saved at 6:41:28 PM, on 8/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lawcrossing\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AE7CD045-E861-484F-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - -{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www2.stopzil...es/SZScanLE.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{93BDDEBA-DAFD-434C-AA3A-6D641318538D}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\lawcrossing\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Tom,
Sorry for the delay in response,
Do you regconize this IP address ?

195.95.218.1

I m thinking you don't, a whois search turns up a Ukraine address

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O17 - HKLM\System\CCS\Services\Tcpip\..\{93BDDEBA-DAFD-434C-AA3A-6D641318538D}: NameServer = 195.95.218.1,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7


Reboot and post back afresh HJT log please
  • 0

#3
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Thanks, Don. No problem about the wait. Sorry about the duplicate post, but I realized I had written an incorrect subject. Anyway, here is the new HJT log. Note that the computer seemed a little slow booting up...could be in my head, or could be something still in there...Thanks so much:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:33 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Documents and Settings\lawcrossing\Desktop\HijackThis.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AE7CD045-E861-484F-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - -{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www2.stopzil...es/SZScanLE.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\lawcrossing\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK, Lets see if we can shake something up here,

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Post back the txt file from Ewido and a fresh HJT please
  • 0

#5
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Ok, it took about an hour for the Ewido scan, but here is the log (the HJT file follows it) I notice that the Ukraine is back in HJT:

EWIDO:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:06:59 PM, 8/8/2005
+ Report-Checksum: FA71D8DE

+ Scan result:

C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@bs.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wfkiogazoao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wfloolczgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjk4khcpghp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjkoakdpgdp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjkosnczcep.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjkyagcpwcp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjkygpdpchq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjkywgczsbo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjl4gncjcbp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjlocpcpclp.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjlyqndjwlp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjmiklcjkgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjmycnc5mgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjnyakcpwgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@e-2dj6wjnyomdjccq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\lawcrossing\Cookies\lawcrossing@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007745.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007747.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007749.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007753.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007756.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP184\A0007757.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007764.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007765.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007768.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007772.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007773.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007779.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP186\A0007780.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007791.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007796.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007800.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007802.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007807.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007808.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007811.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007812.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007814.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007815.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP187\A0007816.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007876.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007877.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007880.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007881.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007898.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007899.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007912.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007916.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007918.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007923.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007927.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007930.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007932.exe -> TrojanDropper.Agent.qb : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007938.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007939.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007947.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007950.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007953.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP188\A0007954.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP189\A0007975.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP189\A0007979.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP189\A0007982.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP189\A0007983.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP192\A0008031.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP192\A0008056.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP192\A0008069.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP192\A0008070.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP193\A0008084.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP193\A0008087.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP193\A0008090.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP193\A0008091.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0008096.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0008099.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0008102.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0008103.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0009096.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0009101.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP194\A0009104.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009111.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009114.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009117.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009120.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009122.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009127.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009130.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP195\A0009135.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009139.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009140.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009144.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009146.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009153.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP196\A0009154.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP197\A0009170.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP197\A0009172.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP197\A0009175.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP197\A0009176.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP198\A0009200.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP198\A0009204.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP198\A0009207.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP198\A0009208.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP201\A0009247.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP201\A0009250.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP202\A0009252.exe -> Spyware.FindSpy : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP202\A0009253.exe -> Spyware.Msnagent : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP202\A0009259.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\System Volume Information\_restore{F56442AA-F748-4D4E-8590-BF0504DF99D6}\RP202\A0009262.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\WINDOWS\system32\dmxqt.exe -> TrojanDropper.Vidro.u : Cleaned with backup
C:\WINDOWS\tmp.hta -> TrojanDownloader.VBS.Psyme.at : Cleaned with backup


::Report End

NOW HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:58 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Movie Magic Screenwriter\scwriter32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Documents and Settings\lawcrossing\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AE7CD045-E861-484F-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - -{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www2.stopzil...es/SZScanLE.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\lawcrossing\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets try this again.

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7


Reboot and post back a fresh HJT log,
Let us know how your computer is running
  • 0

#7
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Ok, I did this. After reboot, it was even slower coming back up. I got an hourglass once my desktop came up, and after about 5 full minutes, I gave up and rebooted again, and it happened again. The 3rd reboot attempt finally worked, but was still slow.
I did HJT and #017 (Ukraine) was not there. Then I opened up this window to type back to you...on a hunch, I did HJT again, and 017 was there (see below). So it seems to be dumping something on me when I open up a browser and is not there after clean and reboot. Still don't know about the slow and or failed reboots, but I think we're getting somewhere...

Logfile of HijackThis v1.99.1
Scan saved at 7:13:45 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lawcrossing\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AE7CD045-E861-484F-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - -{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www2.stopzil...es/SZScanLE.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\lawcrossing\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK, Lets see if there is something that keeps bringing this back,

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

Note: If you get an error while running the findit's.bat (autoexec.exe....), perform next fix: http://www.visualtou...oads/xp_fix.exe


Also,

Run a scan with ActiveScan
Make sure you check the 'Disinfect automatically' option in Active scan

Post back what Active finds as well please
  • 0

#9
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Ok, thank you for your continued help. It is VERY appreciated.
ActiveScan showed nothing...all were Zeros, bothing found and nothing cleaned. The findit.zip TXT file is as follows:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E818-06BD

Directory of C:\WINDOWS\System32

07/13/2005 03:04 AM <DIR> dllcache
12/29/2004 11:52 AM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 9,994,936,320 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is E818-06BD

Directory of C:\WINDOWS\System32

07/13/2005 03:04 AM <DIR> dllcache
12/29/2004 11:39 AM 488 logonui.exe.manifest
12/29/2004 11:39 AM 488 WindowsLogon.manifest
12/29/2004 11:39 AM 749 nwc.cpl.manifest
12/29/2004 11:39 AM 749 sapi.cpl.manifest
12/29/2004 11:39 AM 749 wuaucpl.cpl.manifest
12/29/2004 11:39 AM 749 cdplayer.exe.manifest
12/29/2004 11:39 AM 749 ncpa.cpl.manifest
7 File(s) 4,721 bytes
1 Dir(s) 9,994,936,320 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is E818-06BD

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is E818-06BD

Directory of C:\WINDOWS\System32

08/22/2001 09:00 PM 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 9,994,936,320 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User

Agent\Post Platform]
"SV1"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


---------------- Xfind Results -----------------


-------------- Locate.com Results ---------------


No matches found.

  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
We have seen this 017 a few times and it would go away queitly using HJT,
Lets do a little more digging,

Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
  • 0

Advertisements


#11
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Thanks again...here is the silent runners.vbs log:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = "1" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]
"dmvwh.exe" = "C:\WINDOWS\system32\dmvwh.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csdsn.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "lawcrossing" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 93 seconds, including 18 seconds for message boxes)
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK, That showed us a couple things,

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7


Close out HJT,

Next -
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\hclean32.exe
C:\WINDOWS\system32\dmvwh.exe
csdsn.exe

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

The computer should reboot on its own if not restart manually and post back a fresh HJT log please
  • 0

#13
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Arggg....same thing. O17 was not there immediately after reboot.
But when I logged into my DSL and then opened browser, it was back:

Fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:16:17 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\lawcrossing\Desktop\SpyWareStuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - -{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O2 - BHO: (no name) - -{53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - -{AE7CD045-E861-484F-8273-0445EE161910} - (no file)
O3 - Toolbar: (no name) - -{47833539-D0C5-4125-9FA8-0819E2EAAC93} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {5A447319-0EA2-447B-A063-A5F849B097D0} (ScanZillaLE Class) - https://www2.stopzil...es/SZScanLE.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F368DA97-ED4C-4C36-B4F3-6D6C01F30CC5}: NameServer = 195.95.218.1 85.255.112.7
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\lawcrossing\Desktop\CWShredder.exe (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
How was the start up ?
Could you post back a fresh Silent runners log please,

I m going to be heading off shortly, nearly 1:30 am here :tazz:
  • 0

#15
TomTomTom

TomTomTom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 60 posts
Startup was still slow....at my XP prompt during bootup, the blue thingie waiting scroll bar usually goes across 5 or 6 times, but now it's close to 20. And then it usually goes black for a second or two, but now it's like 15 seconds. Thanks for your help tonight...go to bed and I hope you will still bear with me and continue when you have the time...

Silent Runner Fresh LOG:

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = "1" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"hclean32.exe" = "C:\WINDOWS\system32\hclean32.exe" [file not found]
"dmvwh.exe" = "C:\WINDOWS\system32\dmvwh.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}" = "Adobe.Acrobat.ContextMenu"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
"{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{03A80B1D-5C6A-42c2-9DFB-81B6005D8023}" = "Trend Micro Anti-Spyware Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Tmas\sshook.dll" ["Trend Micro Incorporated"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csrbw.exe" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
Adobe.Acrobat.ContextMenu\(Default) = "{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll" ["Adobe Systems Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "lawcrossing" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Acrobat Assistant" -> shortcut to: "C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe" ["Adobe Systems Inc."]
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"SBC Self Support Tool" -> shortcut to: "C:\Program Files\SBC Self Support Tool\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Trend Micro Anti-Spyware" -> shortcut to: "C:\Program Files\Trend Micro\Tmas\Tmas.exe -autostart" ["Trend Micro Incorporated"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{182EC0BE-5110-49C8-A062-BEB1D02A220B}\ = "Adobe PDF" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll" [null data]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
PCTEL Speaker Phone, Pctspk, "C:\WINDOWS\system32\pctspk.exe" ["PCtel, Inc."]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 91 seconds, including 18 seconds for message boxes)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP