Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I have several infections... [RESOLVED]

Started by CDbigdadee , Aug 06 2005 10:21 PM

  • This topic is locked This topic is locked

#1
CDbigdadee
Posted 06 August 2005 - 10:21 PM

CDbigdadee

    Member

  • Member
  • PipPip
  • 17 posts
I've run Adaware, Ewido, Trojan Hunter, Spybot, Nailfix, Cleanup, Autoruns & McAfee Online Scan - all in safe mode. I've deleted all of the files determined to be threats, yet, as soon as I return to normal boot up the file names come back in Autoruns & my HJT log. My computer seems to run fine until I plug into the net - then several registry changes occur and "new" processes start to run. Here's my HJT log & thanks in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:36:23 PM, on 8/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9022
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [BDFRK] C:\WINDOWS\System32\BDFRK.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
  • 0

Advertisements

#2
loophole
Posted 09 August 2005 - 08:14 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
CDbigdadee
Posted 10 August 2005 - 04:20 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Yes loophole, I still need help. I'll post a new HJT log tonight.
  • 0

#4
loophole
Posted 10 August 2005 - 05:18 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
sounds good :tazz: . .
  • 0

#5
CDbigdadee
Posted 10 August 2005 - 08:08 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here it is....for the record, I'm not using the "infected" PC so the log should be the same. Please re-read the first part of my first post so that you'll know what attempts I've made to clean my files, etc. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 6:51:00 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [BDFRK] C:\WINDOWS\System32\BDFRK.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
  • 0

#6
loophole
Posted 10 August 2005 - 09:20 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey :tazz:

You have a few different infections and this will take a few post to clean up ,but we will get it

*IMPORTANT* Be sure you know how to VIEW HIDDEN FILES

Download and unzip http://metallica.gee...m/MADEbyOSC.zip
Run the file by doubleclicking metallica.bat
and post the log.
Do not reboot until I have looked at your log and given you the next step.
If you have to reboot repeat this part when you are back online.
  • 0

#7
CDbigdadee
Posted 11 August 2005 - 11:28 AM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ok - I'm at work, the infected PC is at home so I'll follow your directions this evening.
  • 0

#8
CDbigdadee
Posted 11 August 2005 - 06:45 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here's the metallica log:

************************************
**These are the hidden files found**
************************************
Volume in drive C has no label.
Volume Serial Number is A45A-21DB

Directory of C:\DOCUME~1\LUCKEY~1\LOCALS~1\Temp

08/07/2005 07:58 PM 65,536 fdr3668.fdr
08/07/2005 08:00 PM 0 msncorr.log
2 File(s) 65,536 bytes
0 Dir(s) 67,179,483,136 bytes free
************************************
**These are the system files found**
************************************
Volume in drive C has no label.
Volume Serial Number is A45A-21DB

Directory of C:\DOCUME~1\LUCKEY~1\LOCALS~1\Temp

06/24/2004 10:33 AM <DIR> History
06/24/2004 10:33 AM <DIR> Temporary Internet Files
0 File(s) 0 bytes
2 Dir(s) 67,179,479,040 bytes free
  • 0

#9
loophole
Posted 11 August 2005 - 07:34 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok lets do some work on your log

Please update Ewido

You may wish to print out a copy of these instructions to follow while you complete this procedure

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)


Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):
Cas
sf


Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\System32\vidctrl
C:\Program Files\Cas
C:\Program Files\sf


Please delete these files using Windows Explorer(if present):
C:\WINDOWS\System32\miwq.exe
C:\WINDOWS\System32\kpnphp.exe
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\scrsvc.exe
C:\WINDOWS\System32\bootpd.exe
C:\WINDOWS\sfita.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\System32\r?ndll.exe
C:\WINDOWS\System32\win32.exe
AUNPS2.DLL .............................You will have to use the search function for these two
traase.exe .............................

Do a full system scan with Ewido and save the log


After that, Reboot.


Now post back the Ewido log and a new Hijack log

Thanks

Edited by loophole, 11 August 2005 - 07:35 PM.

  • 0

#10
CDbigdadee
Posted 12 August 2005 - 01:03 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Will do this evening...thanks
  • 0

Advertisements

#11
loophole
Posted 12 August 2005 - 06:50 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Sounds good just post when your finished :tazz:
  • 0

#12
CDbigdadee
Posted 12 August 2005 - 08:51 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok....

Following your directions, I updated Ewido, fixed the noted files in HJT, Rebooted in safe mode and did not see Cas or sf. I didn't recognize the follwing programs:

DAO
OIN
Premium Search Start Page
TContext

None of the files you listed for deletion were present with this exception:

1) You said to find & delete C:\Windows\cfgmgr52.dll. I found C:\...\cfgmgr52.ini (I didn't delete it)

2) You said to find & delete C:\Windows\System32\r?ndll.exe. I found C:\...\rundll.exe (I didn't delete it)


Here are the scans. Ewido first, the HJT:

˙ž- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
e w i d o s e c u r i t y s u i t e - S c a n r e p o r t
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+ C r e a t e d o n : 7 : 1 1 : 5 7 P M , 8 / 1 2 / 2 0 0 5
+ R e p o r t - C h e c k s u m : 5 5 F 3 7 5 A 1
+ S c a n r e s u l t :

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 1 0 \ A 0 0 3 6 2 1 2 . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 1 0 \ A 0 0 3 6 2 8 7 . e x e - > T r o j a n D o w n l o a d e r . Q D o w n . z : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 5 \ A 0 0 3 6 8 9 9 . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 1 1 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 2 2 0 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 2 7 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 3 2 0 . d l l - > T r o j a n D o w n l o a d e r . A p r o p o . a h : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 7 \ A 0 0 3 7 3 5 7 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 8 \ A 0 0 3 8 3 7 9 . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 2 8 \ A 0 0 3 8 5 6 9 . d l l - > T r o j a n D o w n l o a d e r . A p r o p o . a h : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 5 4 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 6 8 . d l l - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 6 9 . e x e . t c f - > T r o j a n . I m i s e r v . c : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 0 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 1 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 2 . e x e - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 3 . d l l - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { B 3 7 6 8 0 B 2 - B A 0 A - 4 E 5 D - B F 3 0 - 8 3 E 4 4 C 5 8 8 6 2 4 } \ R P 5 3 1 \ A 0 0 4 1 3 7 4 . D L L - > S p y w a r e . L o o k 2 M e : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ d i n s t . e x e - > T r o j a n D o w n l o a d e r . I n t e x p . d : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ f n g c n r n . e x e - > A d w a r e . B e t t e r I n t e r n e t : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ S Y S T E M 3 2 \ a p i s v c . e x e - > B a c k d o o r . L a m e b o t . b : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ S Y S T E M 3 2 \ C a c h e \ e 1 2 1 3 0 7 . S t u b . e x e - > T r o j a n D o w n l o a d e r . D e l m e d . a : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ S Y S T E M 3 2 \ C a c h e \ I n s t a l l A P S . e x e - > T r o j a n D r o p p e r . A g e n t . l u : C l e a n e d w i t h b a c k u p

C : \ W I N D O W S \ S Y S T E M 3 2 \ c x t p l s _ l o a d e r . e x e - > T r o j a n D o w n l o a d e r . A p r o p o . a e : C l e a n e d w i t h b a c k u p


: : R e p o r t E n d


Logfile of HijackThis v1.99.1
Scan saved at 7:16:56 PM, on 8/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [BDFRK] C:\WINDOWS\System32\BDFRK.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [SNInstall] C:\WINDOWS\tool2.exe
O4 - HKCU\..\Run: [Aida] C:\Program Files\rdso\eetu.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
  • 0

#13
loophole
Posted 12 August 2005 - 09:10 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
strange,That Hijack log is exactly the same.lets try this again

Could you please scan with Hijack again and put a check next to the following and click fix checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://195.95.218.172/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://195.95.218.172/index.php
O4 - HKLM\..\Run: [miwq] C:\WINDOWS\System32\miwq.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kpnphp.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Service Host] C:\WINDOWS\System32\Services\{ACD80455-F4E6-40CF-8620-8C128A194B69}\SVCHOST.EXE
O4 - HKLM\..\Run: [scrsvc] C:\WINDOWS\System32\scrsvc.exe
O4 - HKLM\..\Run: [bootpd.exe] C:\WINDOWS\System32\bootpd.exe
O4 - HKLM\..\Run: [033k39X] traase.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\Run: [_Cat4] C:\WINDOWS\msmsgr2.exe
O4 - HKLM\..\Run: [vraibh] c:\windows\system32\wqykxjj.exe r
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [Ortcv] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [H0sqRVbni] sietdown.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O21 - SSODL: System - {7DFB3B61-E65E-45AF-8F61-C52E17764FFC} - (no file)


Remember to click fix checked

Now reboot and post a new log

thanks
  • 0

#14
CDbigdadee
Posted 13 August 2005 - 02:35 PM

CDbigdadee

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I've done this several times. I fix those entries in safe mode, yet when I reboot back into normal mode, the log looks like I never touched it. I can do it again if you wish but it will be the same. Please advise, thanks.
  • 0

#15
loophole
Posted 13 August 2005 - 10:53 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
This is strange. Lets try this

run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here with a new hijack log
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP