Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I don't know what virus I'm infected with [RESOLVED]

Started by mpy , Aug 19 2005 04:01 AM

  • This topic is locked This topic is locked

#1
mpy
Posted 19 August 2005 - 04:01 AM

mpy

    Member

  • Member
  • PipPipPip
  • 120 posts
I have a big problem with my computer now... Let me start off by saying that I have windows xp home edition ..

Ok so.. I scanned my computer and found a virus but the scanner wouldn't heal it.. So I deleted it.. Then explorer.exe stuffed up.. Then I booted my comp with my windows xp cd and tried to repair the whole windows.. But then after repairing it every time I tried to go into windows a message came up saying:

"A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you've seen this stop error screen, restart your computer. If this screen appears again, follow these steps:

Check for viruses on your computer. Remove any newly installed hard drives or hard drive controllers. Check your hard drive to make sure it is properly configured and terminated. Run CHKDSK /F to check for hard drive corruption, and then restart your computer.

Technical information:

***STOP: 0x0000007B (0xFA2C3640, 0xC0000034, 0x00000000, 0x00000000)"

... So I booted my computer again with the cd and installed another windows xp OS... "C:\WINDOWS2".. And that's how I am on now.. Oh and I can still access my original files on my drive but I can't open most of them.. like word documents and real one player movies.. But I know I have microsoft word and real one.. Also the sound doesn't work and the monitor is kinda weird..

This is a HijackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 7:56:05 PM, on 8/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS2\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124434216249
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe


Thanks for taking the time to read my problem. Please reply if you can help me.
  • 0

Advertisements

#2
mpy
Posted 19 August 2005 - 06:25 PM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
I've scanned my computer and found no viruses or spyware, but I keep getting a blue screen saying that I should remove newly installed hard drives and check for viruses...

Here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:35 AM, on 8/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS2\System32\wuauclt.exe
C:\WINDOWS2\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124434216249
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#3
Excal
Posted 19 August 2005 - 06:32 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.
(DO NOT INSTALL SP2)
  • 0

#4
mpy
Posted 20 August 2005 - 02:54 AM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Thanks so much for replying!!! :)

It downloaded SP2 automatically.. But I won't install it. I am downloading SP1a now..

Thankyou for helping me excal :) you're so cool!! :tazz:

<edit>
And Kat too :)
</edit>

Edited by mpy, 20 August 2005 - 03:12 AM.

  • 0

#5
mpy
Posted 20 August 2005 - 04:23 AM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
I've installed SP1.. Here's the log, hope it helps:

Logfile of HijackThis v1.99.1
Scan saved at 8:23:03 PM, on 8/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS2\System32\msiexec.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124434216249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124527825920
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
  • 0

#6
Excal
Posted 20 August 2005 - 04:26 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
don't do anything with it yet.

boot into safe mode


Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

reboot

Please post the winpfind log


Run this online virus scan: ActiveScan - Please save and post the results from the scan!
  • 0

#7
mpy
Posted 20 August 2005 - 05:08 AM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
WinPFind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/18/2001 10:00:00 PM 41397 C:\WINDOWS2\SYSTEM32\dfrg.msc
PECompact2 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS2\SYSTEM32\MRT.exe
aspack 8/4/2005 10:01:54 AM 1449304 C:\WINDOWS2\SYSTEM32\MRT.exe
Umonitor 8/29/2002 8:41:10 PM 631808 C:\WINDOWS2\SYSTEM32\rasdlg.dll
winsync 8/18/2001 10:00:00 PM 1309184 C:\WINDOWS2\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS2\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
S 8/20/2005 8:58:22 PM 2048 C:\WINDOWS2\bootstat.dat
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\WindowsShell.Manifest
H 8/18/2005 8:28:14 PM 65 C:\WINDOWS2\Downloaded Program Files\desktop.ini
SH 8/18/2005 8:29:38 PM 67 C:\WINDOWS2\Fonts\desktop.ini
H 8/19/2005 4:53:54 PM 0 C:\WINDOWS2\inf\oem0.inf
H 8/18/2005 8:28:14 PM 65 C:\WINDOWS2\Offline Web Pages\desktop.ini
SH 8/18/2005 8:29:00 PM 242478 C:\WINDOWS2\PCHEALTH\HELPCTR\PackageStore\package_1.cab
SH 8/18/2005 8:29:00 PM 19959 C:\WINDOWS2\PCHEALTH\HELPCTR\PackageStore\package_2.cab
SH 8/18/2005 8:29:00 PM 727 C:\WINDOWS2\PCHEALTH\HELPCTR\PackageStore\package_3.cab
SH 8/20/2005 7:57:52 PM 70111 C:\WINDOWS2\PCHEALTH\HELPCTR\PackageStore\package_5.cab
H 8/18/2005 8:30:50 PM 233472 C:\WINDOWS2\repair\ntuser.dat
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\system32\cdplayer.exe.manifest
H 8/18/2005 8:28:14 PM 488 C:\WINDOWS2\system32\logonui.exe.manifest
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\system32\ncpa.cpl.manifest
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\system32\nwc.cpl.manifest
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\system32\sapi.cpl.manifest
H 8/18/2005 8:28:14 PM 488 C:\WINDOWS2\system32\WindowsLogon.manifest
H 8/18/2005 8:27:58 PM 749 C:\WINDOWS2\system32\wuaucpl.cpl.manifest
H 8/20/2005 8:58:08 PM 8192 C:\WINDOWS2\system32\config\default.LOG
H 8/20/2005 8:58:42 PM 1024 C:\WINDOWS2\system32\config\SAM.LOG
H 8/20/2005 8:58:24 PM 12288 C:\WINDOWS2\system32\config\SECURITY.LOG
H 8/20/2005 8:59:30 PM 102400 C:\WINDOWS2\system32\config\software.LOG
H 8/20/2005 8:58:30 PM 618496 C:\WINDOWS2\system32\config\system.LOG
H 8/19/2005 6:14:04 AM 1024 C:\WINDOWS2\system32\config\TempKey.LOG
H 8/19/2005 6:14:08 AM 1024 C:\WINDOWS2\system32\config\userdiff.LOG
H 8/19/2005 9:41:46 PM 1024 C:\WINDOWS2\system32\config\systemprofile\ntuser.dat.LOG
SH 8/19/2005 6:15:44 AM 62 C:\WINDOWS2\system32\config\systemprofile\Application Data\desktop.ini
SH 8/19/2005 6:15:44 AM 62 C:\WINDOWS2\system32\config\systemprofile\Local Settings\desktop.ini
SH 8/18/2005 8:29:08 PM 113 C:\WINDOWS2\system32\config\systemprofile\Local Settings\History\desktop.ini
SH 8/18/2005 8:29:08 PM 113 C:\WINDOWS2\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
SH 8/18/2005 8:29:08 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
SH 8/18/2005 8:29:08 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
SH 8/19/2005 7:45:14 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8LI34TUF\desktop.ini
SH 8/19/2005 7:45:14 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\DZ1A905J\desktop.ini
SH 8/19/2005 7:45:14 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KLMJSH2J\desktop.ini
SH 8/19/2005 7:45:14 PM 67 C:\WINDOWS2\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WTYRSH6V\desktop.ini
SH 8/18/2005 8:28:20 PM 181 C:\WINDOWS2\system32\config\systemprofile\SendTo\desktop.ini
SH 8/19/2005 6:15:44 AM 62 C:\WINDOWS2\system32\config\systemprofile\Start Menu\desktop.ini
SH 8/18/2005 8:30:46 PM 207 C:\WINDOWS2\system32\config\systemprofile\Start Menu\Programs\desktop.ini
SH 8/18/2005 8:30:46 PM 482 C:\WINDOWS2\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
SH 8/18/2005 8:30:46 PM 348 C:\WINDOWS2\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
SH 8/18/2005 8:30:46 PM 84 C:\WINDOWS2\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
SH 8/18/2005 8:30:46 PM 84 C:\WINDOWS2\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
SH 8/20/2005 8:57:28 PM 388 C:\WINDOWS2\system32\Microsoft\Protect\S-1-5-18\User\7f440f19-9683-404b-a8c4-6fe1d084449c
SH 8/20/2005 8:57:28 PM 24 C:\WINDOWS2\system32\Microsoft\Protect\S-1-5-18\User\Preferred
H 8/20/2005 8:57:26 PM 6 C:\WINDOWS2\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 10:00:00 PM 66048 C:\WINDOWS2\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 578560 C:\WINDOWS2\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 129024 C:\WINDOWS2\SYSTEM32\desk.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 150016 C:\WINDOWS2\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 292352 C:\WINDOWS2\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 121856 C:\WINDOWS2\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 65536 C:\WINDOWS2\SYSTEM32\joy.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 187904 C:\WINDOWS2\SYSTEM32\main.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 559616 C:\WINDOWS2\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 35840 C:\WINDOWS2\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 256000 C:\WINDOWS2\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 36864 C:\WINDOWS2\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 109056 C:\WINDOWS2\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINDOWS2\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 8:41:28 PM 268288 C:\WINDOWS2\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 28160 C:\WINDOWS2\SYSTEM32\telephon.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 90112 C:\WINDOWS2\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS2\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 66048 C:\WINDOWS2\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 150016 C:\WINDOWS2\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 187904 C:\WINDOWS2\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 559616 C:\WINDOWS2\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 35840 C:\WINDOWS2\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 256000 C:\WINDOWS2\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 36864 C:\WINDOWS2\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 109056 C:\WINDOWS2\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 28160 C:\WINDOWS2\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/18/2001 10:00:00 PM 90112 C:\WINDOWS2\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TrojanHunter
{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.2\contmenu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS2\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard "C:\Program Files\TrojanHunter 4.2\THGuard.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS2\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS2\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.0 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 8/20/2005 9:04:30 PM

:tazz:
  • 0

#8
Excal
Posted 20 August 2005 - 05:13 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
You look clean :)

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if the main link does not work) and install it.


Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.


anyluck with the activescan?

:tazz:

Excal
  • 0

#9
mpy
Posted 20 August 2005 - 05:51 AM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Yeh I did that clean up thing before making this thread and just before doing that winpfind thing... Here's the panda log siir:



Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\!Submit\hhk.dll
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-5b1a92db.zip[InstallerApplet.class]
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PsGuard No disinfected C:\RECYCLER\S-1-5-21-1935655697-1060284298-725345543-1004\Dc12.html
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\hhk.dll
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\system32\msole32.exe
Possible Virus. No disinfected C:\WINDOWS2\Temp\ASHeuristic\ProcessViewer.exe.vir
  • 0

#10
Excal
Posted 20 August 2005 - 05:55 AM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Please remove the following folders using Windows Explorer (if present):

C:\!Submit

5. Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\system32\hhk.dll
C:\Documents and Settings\Matthew\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-5b1a92db.zip


6. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

7. Open Ad-aware and do a full scan. Remove all it finds.

8. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

9. Next go to Control Panel click appearance and themes>click Display > Desktop Tab> click Customize Desktop > Web tab > Uncheck anthing in there if present.

10. Run the program CleanUp!

11. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

12. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

Advertisements

#11
mpy
Posted 20 August 2005 - 08:42 AM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Woah didn't that take a helluva long time!! Anyway here are the logs..

smitRem log file
version 2.3

by noahdfear

The current date is: Sat 08/20/2005
The current time is: 22:12:31.04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)

Ewido found 0 viruses..

Panda Active Scan:


Incident Status Location

Adware:adware/savenow No disinfected Windows Registry
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PsGuard No disinfected C:\RECYCLER\S-1-5-21-1935655697-1060284298-725345543-1004\Dc12.html
Adware:Adware/SpySheriff No disinfected C:\WINDOWS\system32\msole32.exe
Possible Virus. No disinfected C:\WINDOWS2\temp\ASHeuristic\ProcessViewer.exe.vir
HiJackThis log...

Logfile of HijackThis v1.99.1
Scan saved at 12:39:43 AM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS2\System32\smss.exe
C:\WINDOWS2\system32\csrss.exe
C:\WINDOWS2\system32\winlogon.exe
C:\WINDOWS2\system32\services.exe
C:\WINDOWS2\system32\lsass.exe
C:\WINDOWS2\system32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\System32\svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS2\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124434216249
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124527825920
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

Ok so.. Currently Windows XP home edition 1 ("C:\WINDOWS") still doens't work and that stop message about the virus and hard drive still comes up when I choose between my OS's.. Windows XP home edition 2 ("C:\WINDOWS2") works still.. Basically I've got rid of some viruses but no change to my problem :tazz:

But thanks alot for your generous help

so tired... Cya in the mornin sir/... Zzz

Edited by mpy, 20 August 2005 - 08:55 AM.

  • 0

#12
Excal
Posted 20 August 2005 - 01:02 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\system32\msole32.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "yes".

run CleanUp! again please.


You did run Smitrem in safe mode? (RunThis.bat)

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
  • 0

#13
mpy
Posted 20 August 2005 - 04:53 PM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Yeh I ran that SmitRem thing in safe mode.. Do I also run mwav.exe in safe mode?
  • 0

#14
Excal
Posted 20 August 2005 - 04:54 PM

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
No, you don't.


:tazz:


Exca;
  • 0

#15
mpy
Posted 20 August 2005 - 04:57 PM

mpy

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 120 posts
Should I do the smitrem thing again in safe mode?

I'm pretty sure I did it in safe mode before..
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP