Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with Web.exe - HijackThis log within [RESOLVED]

Started by Requiem , Aug 09 2005 12:14 PM

  • This topic is locked This topic is locked

#31
tampabelle
Posted 16 August 2005 - 07:46 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip
  • Unzip it to your desktop.
* CleanUp!
  • Install it.
* Killbox by Option^Explicit
  • Save it to your desktop.
Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - Mouse Button Monitor . Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.


Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

O4 - HKLM\..\Run: [Microsoft Telecom Center] tellecom.exe
O4 - HKLM\..\RunServices: [Microsoft Telecom Center] tellecom.exe
O4 - HKCU\..\Run: [Microsoft Telecom Center] tellecom.exe


Close HiJackThis.

5.) Run Killbox.exe.

* Select "Delete on Reboot".

* Select all these file and click on Copy -

C:\WINDOWS\System32\tellecom.exe
C:\WINDOWS\System32\mousebm.exe



* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any "PendingRenameOperation" prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

6.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

7.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

Advertisements

#32
Requiem
Posted 16 August 2005 - 11:43 PM

Requiem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
rdriv.txt

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

rdriv.sys PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe PRESENT!


~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

rdriv.sys NOT PRESENT!
ItunesMusic.exe NOT PRESENT!
wkssvc.exe NOT PRESENT!


ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:20:17 PM, 16/08/2005
+ Report-Checksum: 3C4DF2F2

+ Scan result:

C:\WINDOWS\system32\tellecom.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINDOWS\system32\TFTP384 -> Backdoor.SdBot.yx : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.154:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.185:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.186:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.188:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.190:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.191:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.192:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.200:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.201:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.202:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.203:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.209:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.211:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.212:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Chris\Application Data\Mozilla\Firefox\Profiles\hi4etpsj.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP9\A0005323.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP9\A0005380.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP12\A0012622.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP12\A0013623.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP13\A0014624.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP14\A0014649.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP14\A0014659.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP14\A0014663.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP14\A0014664.exe -> Backdoor.SdBot.xd : Cleaned with backup

::Report End


ActiveScan

Virus:W32/Sdbot.ftp - Disinfected - C:\WINDOWS\system32\i
Virus:W32/SdBot.EPD.worm - Disinfected - C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP12\A0013624.pif
Virus:Bck/Ircbot.JY - Disinfected - C:\System Volume Information\_restore{9751C1A3-5CFD-41E6-8BFD-EDF9B399FD2C}\RP14\A0014643.exe


HJT

Logfile of HijackThis v1.99.1
Scan saved at 3:09:49 AM, on 17/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Chris\Desktop\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Repair Registry Pro] E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C90AED3-6C53-4A40-A0B1-7BA3790AE150}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Workstation Service Library (Microsoft Locator Service) - Unknown owner - C:\WINDOWS\wkssvc.exe (file missing)

I think all that text took longer to copy, paste and format than it did to go through the procedure you just ran me through. Phew. x_x
  • 0

#33
tampabelle
Posted 17 August 2005 - 11:50 AM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Chris,


Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - Workstation Service Library. Right click on it and then click on properties. In the Startup Type choose the option Disable. Close the window.

Run Hijack This. Click on config ---> Misc Tools ---> Delete an NT Service. Type in Microsoft Locator Service - and hit enter.

Reboot the PC.

The files that we deleted earlier -
C:\WINDOWS\System32\tellecom.exe
C:\WINDOWS\System32\mousebm.exe

are both related to a rootkit infection. Rootkit infections are very complicated but basically enable a remote user to control your PC. So apart from being able to collect information from your PC, they can be used for a host of purposes like using your PC to originate spam mail etc. These files are also known to interfere with the regular functioning of the PC and result in some or all the apps not working (as is happening in your case).

I would strongly recommend that please do not use your PC for any financial transactions or any other transactions where your personal information is being used till the PC is totally cleaned up. The idea is not to scare you but to warn you to take proper precautions. In case you have used your PC in the recent past for such purposes, then please monitor the activity in your bank account / credit card to make sure that no surprises are there.



To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Please open Windows Explorer and navigate to folder - C:\WINDOWS\System32

If the files tellecom.exe and mousebm.exe exist, then please zip them up and mail them to me at fani_kumar(AT)hotmail.com.


Please visit Symantec at this page - http://securityrespo...moval.tool.html.

The page provides a tool for downloading and the instructions for using it. Please DONOT follow the step 6 and step 12 at this stage. We will tackle the system restore cleaning up later.

After connecting back to the net, please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see. Please also post a fresh HJT log.
  • 0

#34
Requiem
Posted 17 August 2005 - 02:56 PM

Requiem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
HKLM\SOFTWARE\Classes\ftp\shell\open\ddeexec 17/08/2005 6:15 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\gopher\shell\open\ddeexec 17/08/2005 6:15 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\HTTP\shell\open\ddeexec 17/08/2005 6:15 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Classes\https\shell\open\ddeexec 17/08/2005 6:15 PM 0 bytes Hidden from Windows API.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€ 05/08/2005 9:21 PM 0 bytes Key name contains embedded nulls (*)
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf 17/08/2005 6:16 PM 8.04 KB Hidden from Windows API.

-----------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:25:17 PM, on 17/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
E:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Chris\Desktop\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Repair Registry Pro] E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C90AED3-6C53-4A40-A0B1-7BA3790AE150}: NameServer = 142.163.255.4 209.128.1.4
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Of note: Tellecom.exe and Mousecm.exe were not found.

Edited by Requiem, 17 August 2005 - 02:58 PM.

  • 0

#35
tampabelle
Posted 17 August 2005 - 03:47 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Chris,

That is good news. Also your HJT log looks clean.

Can you post a fresh Silent Runners log for me to verify that everything is fine??
  • 0

#36
Requiem
Posted 17 August 2005 - 03:58 PM

Requiem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"AIM" = "E:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Repair Registry Pro" = "E:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s" [file not found]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "E:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "E:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "E:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "E:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "E:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
BrSplService, Brother XP spl Service, "C:\WINDOWS\System32\brsvc01a.exe" ["brother Industries Ltd"]
ewido security suite control, ewido security suite control, "E:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "E:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 23 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 19 seconds.
---------- (total run time: 86 seconds)
  • 0

#37
tampabelle
Posted 17 August 2005 - 04:12 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
OK, your logs look fine.

Do you still have the issue of programs freezing ??
  • 0

#38
Requiem
Posted 17 August 2005 - 04:15 PM

Requiem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Nope!
Everything seems to be running just fine.
  • 0

#39
tampabelle
Posted 17 August 2005 - 04:16 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Chris,


CONGRATULATIONS !!!!!!!!!!! Your PC is clean now :tazz:



I would recommend the following steps to keep your PC clean (especially Step 1 to install Service Pack 2 or SP2 and Step 8 now that your PC is clean) –

PREVENTIVE MEASURES FOR FUTURE

Operating System
1. Keep the Windows and Internet Explorer updated with the latest fixes. These fixes are available free from Microsoft. Click on Tools in the IE menu bar and then on Windows update. You can also use the following links

Windows security and critical updates
Internet Explorer security and critical updates

Also ensure that automatic updates are enabled for faster updation of the system.
(Right click on My Computer on your desktop, properties and Automatic Updates tab.


Anti-Virus Software
2. Keep your Anti-virus program updated with the latest definitions. Some of the common anti-virus programs in use are :

Norton Anti-Virus
McAfee Anti-Virus
AVG Anti-Virus --- freeware
Avast Home Edition --- freeware

Use only one anti-virus program as multiple such programs can create conflicts between themselves and severely hamper the performance of your PC.


Firewall
3. You should also have a good firewall. Here are 3 free ones available for personal use:
Sygate Personal Firewall, Kerio Personal Firewall, ZoneAlarm


Internet Browsers
4. Have robust explorer settings. It is preferable to use an internet browser other that IE as most of the malware is targetted at IE. In case you prefer to use IE, then download a list of innocent looking but harmful websites from IE-Spyad and install it on ur PC. IE-SPYAD puts over 5000 sites in your internet explorer's restricted zone, so you'll be protected when you visit innocent-looking sites that aren't really innocent at all.

Some alternate browsers I suggest are Firefox Mozilla Browser and Opera

Ensure that Security level, irrespective of whichever browser you use, is set at Medium or higher, restrict the usage of cookies and activeX components.


Spyware Protection
5. Have a wall of protection against spyware / adware by installing SpywareBlaster and SpywareGuard.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs.
SpywareBlaster will prevent spyware from being installed and consumes no system resources.
SpywareGuard offers realtime protection from spyware installation and browser hijack attempts. Both have free ongoing updates.


Spyware Removers
6. Install programs for scanning for malware and uninstalling them. Two of the best programs, both are freeware, are :

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware SE Personal Edition - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.


Regular Maintenance of PC
7. Finally, invest some time for regular maintenance of your PC. Delete the temporary Internet files, temporary files, cookies etc. Click on Start button, Programs, Accessories, System Tools and run the program Disk Cleanup. Follow the instructions.

An alternate freeware software which can be used is CleanUp.

Keep your Registry clean. My favourite software is Registry First Aid. This is not a freeware but a trial version can be downloaded.


System Restore Points
8. Since your PC is currently clean, create a system restore point. A system restore would enable you to revert to the settings on the PC when the restore point was created. It is also a good idea to flush all earlier system restore points which may be containing infected files.

A. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

B. Restart your computer.

C. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.


Go ahead and enjoy a clean PC !!!!!!!!!!!!!
  • 0

#40
Requiem
Posted 17 August 2005 - 04:19 PM

Requiem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Most excellent.
Getting to work on configuring these now. :tazz:

You've been most gracious and patient with your help. I know exactly where to turn now next time my PC has problems.

Bravo, and cheerio!

EDIT: Of note; Your link to IE-Spyad doesn't work.

Edited by Requiem, 17 August 2005 - 04:35 PM.

  • 0

Advertisements

#41
tampabelle
Posted 17 August 2005 - 08:36 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Chris,

My apologies.


The revised link for spyad is https://netfiles.uiu...rce.htm#IESPYAD
  • 0

#42
tampabelle
Posted 17 August 2005 - 08:36 PM

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP