Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Infected with rdriv.sys [RESOLVED]


  • This topic is locked This topic is locked

#1
llevison

llevison

    Member

  • Member
  • PipPip
  • 29 posts
Hi there

First off, thank you for existing. Your explanations and help columns let me figure out what was going on with my computer and get it working again.

I had the rdriv.sys trojan due to a stupid user error (visiting a friend, set up new Network Connection, forgot the set up firewall, won't forget again). However I had a few other symptoms as well, including the TaskManager not displaying, and at one point MSWord would launch a shell, but then freeze -- ie, no text or even white part of the window.

I have gone thru almost all the steps in "You Must Read this Before Posting a HijackThis log" -- the only exception is that I could get neither Trend Housecall nor Pando to run. I am updated with MS/XP SP1.

However, when I checked the Windows/System32 folder this morning, there were a number of junky *.tmp files still sitting there (1C.tmp, 55.tmp, AO.tmp, etc). I have quarantined these. Still left in that folder are the files: wpa.dbl and FNTCACHE.dat -- could you tell me what these files are? They appear in other forum posts and I think they need to go.

I am a Eudora/Opera user -- almost never use IE unless that's the only browser that will display a webpage.

So could I ask someone to check my HijackThis log from this morning and tell me if I got everything? I have not "fixed" anything in HijackThis yet.

Thank you in advance.

Libby

======
Logfile of HijackThis v1.99.1
Scan saved at 9:08:47 AM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\CePMTray.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Opera7\opera.exe
C:\downloads\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\libby\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\F.tmp
O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\RunServices: [USB Driver4] UpdateXP6.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [USB Driver4] UpdateXP6.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HCLInetd - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi llevison and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi Excal,

Thank you for your quick reply!

I'm still having trouble with the computer -- I do *not* like the number of bits being sent out... I do think that rdriv.sys is fixed, but I think there are other problems now and I can't find them. So I'd really appreciate your looking at the logfile!

Thanks!

Here's a new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:11:49 PM, on 8/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera7\opera.exe
C:\toshiba\ivp\netint\netint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\libby\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\F.tmp
O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKLM\..\RunServices: [USB Driver4] UpdateXP6.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [USB Driver4] UpdateXP6.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HCLInetd - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

DOWNLOAD PROGRAMS


* rdrivRem.zip
  • Unzip it to your desktop.
* Ewido Security Suite
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed exit Ewido.
* CleanUp!
  • Install it.
* Killbox by Option^Explicit
  • Save it to your desktop.

THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for Mouse Cursor Monitor (mousecrm) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

5. Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder

6. Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

7. Run the program CleanUp!

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\F.tmp
O4 - HKLM\..\Run: [USB Driver4] UpdateXP6.exe
O4 - HKLM\..\RunServices: [USB Driver4] UpdateXP6.exe
O4 - HKCU\..\Run: [USB Driver4] UpdateXP6.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe (file missing)


11. click the Fix Checked box

12. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\F.tmp
C:\WINDOWS\System32\mousecrm.exe
Start>Search for this one:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
UpdateXP6.exe


13. Delete Microsoft Locator Service
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • click on "delete an NT service"
  • Copy and paste this in the box: mousecrm
  • Click "ok", then reboot
14. Reboot into normal mode and Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

15. Please post the Active scan log, the rdriv.txt and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi Excal

I've done everything you've asked except for the online scans -- as I said in my first posting, I don't seem to be able to get them to run. Panda will only run in IE and needs ActiveX enabled, and I can't find that anywhere to enable it; Trend's Housecall just ran for 15 minutes and did nothing. How long should it take on a 56K dialup?

Suggestions on getting one of them running? I'll be back on in a few hours

Thank you

Libby
  • 0

#6
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi Excal,

I have finished your instructions. I finally got TrendMicro to run, but it was very slow (>3hrs) and kept getting stuck. I don't know if that's normal or not. In the end it never printed a report for me, but reported two viruses found:
1) Worm_bagle.Gen-1 in an email attachment ; now deleted
2) TrojAgent.uz in C:\Windows\smss.exe ; no action taken

I am attaching the two logs I have below.

I also have a question: what does the file C:\Windows\updatees do? I have Googled it and can't find enough information. It was recently modified (ie, while I've been fighting these infections).

More this evening. Thank you!

=========================
RDRIV
++++++++++++++++++

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!

=============================
HiJack This
+++++++++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 12:00:21 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Common Files\Network Associates\McUpdate\MCUPDATE.EXE
C:\Program Files\Common Files\Network Associates\LWI\LWI.exe
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\libby\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4FC6BF6-5126-4977-A7CB-14DCC2439DB4}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HCLInetd - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#7
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Things are looking pretty good, HiJackthis is clean. How things running on your end? Did you have any luck finding and deleting UpdateXP6.exe?


Delete Bad File
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\Windows\smss.exe <===Make sure its in the Windows folder, not in the system32 folder
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "Yes".
:tazz:

Excal
  • 0

#8
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi Excal:

Going back two messages (your msg yesterday at 10:30pm):
Comments:
1) Ewido found a copy of TrojanProxy.Ranky.bu which was deleted
2) When running HiJack this after Ewido: the following options did not appear:
023 - Service\..]Mouse Cursor Monitor (mousecrm) - unknown owner
C:\WINDOWS\System32\mousecrm.exe (file missing)
3) These files no longer existed to be deleted: (your step 12)
C:\Windows\System32\F.tmp
C:\Windows\System32\mousecrm.exe
4) I could not find UpdateXP6.exe
5) Couldn't get Panda to run

In reply to your last message:
I have deleted C:\Windows\smss.exe

What does the file C:\Windows\Updatees do?

The computer is running fine -- TaskMgr is working. My only concern is that when I check the status of my connection (yes, dial-up) it looks like a large number of bytes are going out. Right now, having logged on to send this message, as many have gone out as have come in. Thoughts?

Here is the latest HiJackThis Log.

Thank you!

Libby
=======================================
Logfile of HijackThis v1.99.1
Scan saved at 10:28:24 PM, on 8/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\CePMTray.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\libby\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HCLInetd - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts

What does the file C:\Windows\Updatees do?


Where did you get that from?

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Edited by Excal, 11 August 2005 - 09:04 PM.

  • 0

#10
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi

Where did you get that from?


Do you mean how did I get it on the computer or where did I find it? I've been searching for information on any files that got added to the computer around the time of the infection; those I found to be viruses and found help for, I got rid of (I had actually tried to clear rdriv.sys and mousecrm myself). But I couldn't find anything on updatees -- it just looks suspicious. What is it?

I can send a list of other files that keep being modified every time I log in if that's helpful.

Ok, MWAV loaded and running. Will post the infected items list tomorrow.

Thank you!

Libby
  • 0

Advertisements


#11
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Sure that would be helpful.

Is that a folder or a file. I didn't see an extension on it.

Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


reboot into safe mode

Open up and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido


Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Edited by Excal, 11 August 2005 - 11:04 PM.

  • 0

#12
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Good morning!

Is that a folder or a file. I didn't see an extension on it.


updatees.exe is an application

Below you have the list of files I am suspicious about, and below that the results of MWAV. MWAV does say that updatees is infected!!! Now running Ewido again, will post results soon.

THANK YOU!

Libby

++++++++++++

Here is a list of the files that I can't find enough info about on the Web, and I don't like the fact that they've been modified since I got infected (date listed is modified date).

C:\
23990098.$$$ $$$ File 8/12 4:48am
AVPCallback Text 8/11 11:38pm
(these two maybe from running MWAV?)

c:\WINDOWS
win.ini Configuration settings 0KB 8/11 10:16 (last logon)
0 Text 8/11 10:16 (last logon)
TSC.ini Configuration 8/11 9:14am (logged on)
RM-RESULT.dat DAT file 8/11 9:14am (logged on)
TMUPDATE.DLL App extension 8/11 9:01am (logged on)
UNZIP.DLL App extension 8/11 9:01am (logged on)
PATCH Application 8/11 9:01am (logged on)
machine.ver VER File 8/10 10:52pm
VPTNFILE.771 771 File 8/10 1:59pm (computer in standby mode)
lpt$vpn.771 771 File 8/10 1:59pm (computer in standby mode)
Kyor.ini Text 8/8 11:59pm
updatees Application 8/3 4:58pm

++++++++++++

And here are the results from MWAV, line feeds added to make it easier to read. I have already deleted the attached message.zip (never opened).


Object "Quicken Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USWebUncoated.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\AppleRGB.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\ColorMatchRGB.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\EuroscaleCoated.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\EuroscaleUncoated.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\JapanStandard.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\sRGB Color Space Profile.icm". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USSheetfedCoated.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USSheetfedUncoated.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USWebCoatedSWOP.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\AdobeRGB1998.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\WideGamutRGB.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\NTSC1953.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\PAL_SECAM.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\SMPTE-C.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\CIERGB.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\Photoshop5DefaultCMYK.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\Photoshop4DefaultCMYK.icc". Action Taken: No Action Taken.

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Adobe\Fonts\Reqrd\Base\AdobeFnt.lst". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{000287CC-0000-0000-C000-000000000046}" refers to invalid object "apprclip.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{29134141-2EED-1069-BF5D-00DD011186B7}" refers to invalid object "LWPEQNN.DLL". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765C5-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765C6-AE47-11D1-9975-00805F8AC636}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765C7-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765C8-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "edpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765CB-AE47-11D1-9975-00805F8AC63E}" refers to invalid object "mnpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{2FC765CC-AE47-11D1-9975-00805F8AC6B3}" refers to invalid object "mnpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{62845280-4FE2-11D1-8EAC-00805FD26FAA}" refers to invalid object "lipref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{744C3DF0-DFAE-11D1-826B-00805F2AB103}" refers to invalid object "brpref32.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{7730E78F-A89A-11D3-9982-0060B088BBCA}" refers to invalid object "C:\PROGRA~1\AMERIC~1.0\AMP\ampx.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.

Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.

Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

Entry "HKCR\Layout" refers to invalid object "{812AE312-8B8E-11CF-93C8-00AA00C08FDF}". Action Taken: No Action Taken.

Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

Entry "HKCR\PRLOTREG.PrlotregCtrl.1" refers to invalid object "{129550A5-75C9-11D3-9F87-00600894B1EE}". Action Taken: No Action Taken.

File C:\WINDOWS\updatees.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047419.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047432.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047471.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047536.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047540.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048650.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048666.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048680.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048685.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0049213.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051411.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051424.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051441.exe infected by "Backdoor.Win32.Agent.mo" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055791.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055991.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP149\A0057313.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP150\A0057361.exe infected by "Trojan-Proxy.Win32.Agent.fy" Virus! Action Taken: No Action Taken.

File C:\Users\libby\Eudora\Attach\message.zip infected by "Email-Worm.Win32.Mydoom.m.log" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\updatees.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047419.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP137\A0047432.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047471.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047536.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0047540.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048650.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048666.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048680.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0048685.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP138\A0049213.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051411.sys infected by "Rootkit.Win32.Agent.p" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051424.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP140\A0051441.exe infected by "Backdoor.Win32.Agent.mo" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055791.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP144\A0055991.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP149\A0057313.exe infected by "Trojan-Proxy.Win32.Ranky.bu" Virus! Action Taken: No Action Taken.

File C:\System Volume Information\_restore{C7DDC5E1-A6C6-443B-AE4B-FEEAEF64E4B9}\RP150\A0057361.exe infected by "Trojan-Proxy.Win32.Agent.fy" Virus! Action Taken: No Action Taken.

File C:\Users\libby\Eudora\Attach\message.zip infected by "Email-Worm.Win32.Mydoom.m.log" Virus! Action Taken: No Action Taken.

File C:\WINDOWS\updatees.exe infected by "Trojan-Clicker.Win32.Small.hh" Virus! Action Taken: No Action Taken.
  • 0

#13
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here are the latest Ewido and HJT results:

Thank you!

++++++++++
Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:28:58 AM, 8/12/2005
+ Report-Checksum: 26990204

+ Scan result:

No infected objects found.

::Report End

+++++++++++

Logfile of HijackThis v1.99.1
Scan saved at 10:35:42 AM, on 8/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\EzButton\CP888M1.EXE
C:\WINDOWS\System32\CePMTray.exe
C:\toshiba\ivp\ISM\pinger.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toast.net/start/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.toast.net/start/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Program Files\Netscape\Users\libby\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CP888M1] C:\PROGRA~1\EzButton\CP888M1.EXE
O4 - HKLM\..\Run: [CeEPOWER] C:\WINDOWS\System32\CePMTray.exe
O4 - HKLM\..\Run: [Pinger] C:\toshiba\ivp\ISM\pinger.exe /run
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus C82 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0HIC1.EXE /P23 "EPSON Stylus C82 Series" /O6 "USB001" /M "Stylus C82"
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel Registration.lnk = C:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HCLInetd - Hummingbird Communications Ltd. - C:\WINDOWS\System32\Hummbird\inetd32.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#14
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
The other infections found were in system restore and will be cleared when we clear your restore points. I see you have alot of invalid entries in your Registry and I will give u a registry cleaner to take care of those when we get you cleaned up.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\updatees.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "YES".
after reboot

I really need you to run panda to identify some files for me

To activate ActiveX Controls:
*note - ensure you write down the settings these were at so you can return them to normal after
  • In your browser go to Tools>Internet Options
  • Click the "security Tab"
  • Click on "Custom Level"
  • Scroll down until u get to "ActiveX controls and plug-ins"
  • Choose "Disable" for Automatic prompting for ActiveX controls
  • Choose Enable for "download signed ActiveX controls"
  • Choose Enable for "Run ActiveX Controls and plug-ins"
  • Choose Enable for "Script ActiveX controls marked safe for scripting"
  • Click "OK"
  • Then click "Yes"

    Then you can close the box
Run this online virus scan: ActiveScan - Save the results from the scan!

Edited by Excal, 12 August 2005 - 01:05 PM.

  • 0

#15
llevison

llevison

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi

#  Scroll down until u get to "ActiveX controls and plug-ins"

This is the first line in the Security/Custom... is that right?

# Choose "Disable" for Automatic prompting for ActiveX controls

I don't have this option, so could not set it to "Disable"

# Choose Enable for "download signed ActiveX controls"
# Choose Enable for "Run ActiveX Controls and plug-ins"
# Choose Enable for "Script ActiveX controls marked safe for scripting"

Last three done.

At 56K dialup, I can barely get the page to load. When I click on "Sacn your PC" and it begins to download the ActiveX controls it repeatedly tells me it can't find the server and can't display the page.

Any suggestions? Can I download the ActiveX controls on a different computer and move them? Is there another scanning program I can run? (I did get Trend Housecall to work.) Is "Automatic prompting" called something else? (IE Browswer is 6.0.2800.xxxx)

Thank you

LLevison
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP