Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer >.< [RESOLVED]


  • This topic is locked This topic is locked

#1
Goryus

Goryus

    New Member

  • Member
  • Pip
  • 7 posts
I seem to have been hijacked by winfixer. Not sure how it got on my computer (I run all sorts of spyware prevention utilities), but my attempts to make it go away have not been bearing fruit. If anyone could help me out in removing it, I'd really appreciate it!

Logfile of HijackThis v1.99.1
Scan saved at 11:02:29 AM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\ET821A.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\notes\NLNOTES.EXE
C:\Program Files\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 162.49.66.5 olympus
O1 - Hosts: 162.49.66.11 plato
O1 - Hosts: 162.49.66.23 intranet
O1 - Hosts: 162.49.66.31 webi
O1 - Hosts: 162.49.66.35 SCEA919ML02 #paris
O1 - Hosts: 162.49.66.38 callisto
O1 - Hosts: 162.49.66.39 SESFCB03 #Nemesis2
O1 - Hosts: 162.49.66.47 SESFCB02A #mail1
O1 - Hosts: 162.49.66.172 becks
O1 - Hosts: 162.49.67.17 fosters2
O1 - Hosts: 162.49.67.19 SCEA919ML01 #news
O1 - Hosts: 162.49.67.21 marco
O1 - Hosts: 162.49.67.38 argo
O1 - Hosts: 162.49.67.39 SESFCB03 #Nemesis67
O1 - Hosts: 162.49.67.42 stealth
O1 - Hosts: 162.49.67.44 viper
O1 - Hosts: 162.49.67.47 icarius
O1 - Hosts: 162.49.80.9 blackberry
O1 - Hosts: 162.49.80.36 geosonyaw1
O1 - Hosts: 162.49.80.38 diablo
O1 - Hosts: 162.49.80.56 trinity.playstation.sony.com
O1 - Hosts: 162.49.80.48 matrix.playstation.sony.com
O1 - Hosts: 162.49.86.36 polo
O1 - Hosts: 162.49.86.38 mercury
O1 - Hosts: 162.49.86.39 SESFCB03 #Nemesis86
O1 - Hosts: 162.49.86.47 lucidb
O1 - Hosts: 162.49.86.48 lucid
O1 - Hosts: 162.49.88.10 hestia
O1 - Hosts: 162.49.88.12 castor.playstation.sony.com
O1 - Hosts: 162.49.88.16 heimdall2 #mis
O1 - Hosts: 162.49.88.38 hermes
O1 - Hosts: 162.49.88.39 SESFCB03 #Nemesis88
O1 - Hosts: 162.49.88.41 stealth
O1 - Hosts: 162.49.88.44 webtrends
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\WALLPA~1\utilps.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://guardian:434...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://guardian:434...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://guardian:434...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://guardian:434.../RemoveCtrl.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://volvo.playsta...tor/oajinit.exe
O20 - AppInit_DLLs: rainit.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: utilps - C:\WINDOWS\Web\WALLPA~1\utilps.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: DesktopAuthority - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

Edited by Goryus, 07 September 2005 - 11:41 AM.

  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi Goryus and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"


3. Before we start, do you know what all those entries are in your host file, the 01 entries in your HJT log?

Regards,

Trevuren

  • 0

#3
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hello Trevuren, and thanks for helping me out with this!

1 & 2: Done

3: Yes, I'm familliar with them, they're from/related to the corporate network I'm on.
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print these instructions out for use in Safe Mode.

Also note, one must be either logged in under the Administrator account or have administrator prileges to be able to use these procedures

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning and a list of forums to seek help at.
    it should look like this

    VundoFix V2.1 by Atri
    By pressing enter you agree that you are using this at your own risk
    Please seek assistance at one of the following forums:
    http://www.atribune.org/forums
    http://www.247fixes.com/forums
    http://www.geekstogo.com/forum
    http://forums.net-integration.net

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):


    • C:\WINDOWS\Web\WALLPA~1\utilps.dll



  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    C:\WINDOWS\Web\WALLPA~1\splitu.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\Web\WALLPA~1\utilps.dll
    O20 - Winlogon Notify: utilps - C:\WINDOWS\Web\WALLPA~1\utilps.dll


  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK

Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.

Regards,

Trevuren

  • 0

#5
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks bunches Trevuren, seems to be fixed!

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 10:14:03 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\LG4126.EXE
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\notes\NLNOTES.EXE
C:\Program Files\notes\ntaskldr.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 162.49.66.5 olympus
O1 - Hosts: 162.49.66.11 plato
O1 - Hosts: 162.49.66.23 intranet
O1 - Hosts: 162.49.66.31 webi
O1 - Hosts: 162.49.66.35 SCEA919ML02 #paris
O1 - Hosts: 162.49.66.38 callisto
O1 - Hosts: 162.49.66.39 SESFCB03 #Nemesis2
O1 - Hosts: 162.49.66.47 SESFCB02A #mail1
O1 - Hosts: 162.49.66.172 becks
O1 - Hosts: 162.49.67.17 fosters2
O1 - Hosts: 162.49.67.19 SCEA919ML01 #news
O1 - Hosts: 162.49.67.21 marco
O1 - Hosts: 162.49.67.38 argo
O1 - Hosts: 162.49.67.39 SESFCB03 #Nemesis67
O1 - Hosts: 162.49.67.42 stealth
O1 - Hosts: 162.49.67.44 viper
O1 - Hosts: 162.49.67.47 icarius
O1 - Hosts: 162.49.80.9 blackberry
O1 - Hosts: 162.49.80.36 geosonyaw1
O1 - Hosts: 162.49.80.38 diablo
O1 - Hosts: 162.49.80.56 trinity.playstation.sony.com
O1 - Hosts: 162.49.80.48 matrix.playstation.sony.com
O1 - Hosts: 162.49.86.36 polo
O1 - Hosts: 162.49.86.38 mercury
O1 - Hosts: 162.49.86.39 SESFCB03 #Nemesis86
O1 - Hosts: 162.49.86.47 lucidb
O1 - Hosts: 162.49.86.48 lucid
O1 - Hosts: 162.49.88.10 hestia
O1 - Hosts: 162.49.88.12 castor.playstation.sony.com
O1 - Hosts: 162.49.88.16 heimdall2 #mis
O1 - Hosts: 162.49.88.38 hermes
O1 - Hosts: 162.49.88.39 SESFCB03 #Nemesis88
O1 - Hosts: 162.49.88.41 stealth
O1 - Hosts: 162.49.88.44 webtrends
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://guardian:434...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://guardian:434...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://guardian:434...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://guardian:434.../RemoveCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://volvo.playsta...tor/oajinit.exe
O20 - AppInit_DLLs: rainit.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: DesktopAuthority - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe



vudofix.txt
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 556 'smss.exe'
Threads [560][564][568]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 444 'explorer.exe'
Killing PID 444 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 628 'winlogon.exe'
Killing PID 628 'winlogon.exe'
Killing PID 628 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


That virus scan is taking years to complete, in large part because I have Cygwin installed on this computer and it's insisting on deep scanning it (110,000+ files). It's been going for about half an hour now and the completion bar has barely moved, so I figure it's going to take hours yet to finish. It hasn't found anything yet, and I'm guardedly optimistic that it won't. ^_^ The pop-ups seem to have stopped.

Thanks again for your help! I can't begin to express how much I appreciate you guys taking the time to help me with this.
  • 0

#6
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Alright, the virus scan finally finished, and it looks like it found something...

ActiveScan results
Incident Status Location

Virus:Trj/Agent.AJK Disinfected C:\WINDOWS\SYSTEM32\mlljk.dll

  • 0

#7
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Copy and paste this code box text into a text editor such as Notepad.

2. Save this text as ResetAppInit.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop. Include the word REGEDIT4

3. Double-click on ResetAppInit.reg. When it asks you to merge the information to the registry click Yes.


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

4. REBOOT your system.

5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#8
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Done and done. Here's the new log:

HJT log
Logfile of HijackThis v1.99.1
Scan saved at 11:34:40 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
C:\Program Files\DesktopAuthority\DesktopAuthority.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\TEMP\FK4ECB.EXE
C:\WINDOWS\system32\slagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Prism Deploy\Client\PTClient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\program files\notes\NLNOTES.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\notes\ntaskldr.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 162.49.66.5 olympus
O1 - Hosts: 162.49.66.11 plato
O1 - Hosts: 162.49.66.23 intranet
O1 - Hosts: 162.49.66.31 webi
O1 - Hosts: 162.49.66.35 SCEA919ML02 #paris
O1 - Hosts: 162.49.66.38 callisto
O1 - Hosts: 162.49.66.39 SESFCB03 #Nemesis2
O1 - Hosts: 162.49.66.47 SESFCB02A #mail1
O1 - Hosts: 162.49.66.172 becks
O1 - Hosts: 162.49.67.17 fosters2
O1 - Hosts: 162.49.67.19 SCEA919ML01 #news
O1 - Hosts: 162.49.67.21 marco
O1 - Hosts: 162.49.67.38 argo
O1 - Hosts: 162.49.67.39 SESFCB03 #Nemesis67
O1 - Hosts: 162.49.67.42 stealth
O1 - Hosts: 162.49.67.44 viper
O1 - Hosts: 162.49.67.47 icarius
O1 - Hosts: 162.49.80.9 blackberry
O1 - Hosts: 162.49.80.36 geosonyaw1
O1 - Hosts: 162.49.80.38 diablo
O1 - Hosts: 162.49.80.56 trinity.playstation.sony.com
O1 - Hosts: 162.49.80.48 matrix.playstation.sony.com
O1 - Hosts: 162.49.86.36 polo
O1 - Hosts: 162.49.86.38 mercury
O1 - Hosts: 162.49.86.39 SESFCB03 #Nemesis86
O1 - Hosts: 162.49.86.47 lucidb
O1 - Hosts: 162.49.86.48 lucid
O1 - Hosts: 162.49.88.10 hestia
O1 - Hosts: 162.49.88.12 castor.playstation.sony.com
O1 - Hosts: 162.49.88.16 heimdall2 #mis
O1 - Hosts: 162.49.88.38 hermes
O1 - Hosts: 162.49.88.39 SESFCB03 #Nemesis88
O1 - Hosts: 162.49.88.41 stealth
O1 - Hosts: 162.49.88.44 webtrends
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [DesktopAuthority GUI] "C:\Program Files\DesktopAuthority\ragui.exe"
O4 - HKLM\..\Run: [Prism Deploy Client] "C:\Program Files\Prism Deploy\Client\PTClient.exe" /Subscriber
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://guardian:434...ll/WinNTChk.cab
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://guardian:434...ll/setupini.cab
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://guardian:434...stall/setup.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://guardian:434.../RemoveCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) - http://volvo.playsta...tor/oajinit.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Channel Deployer - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\ChannelDeploy.sys
O23 - Service: DesktopAuthority - ScriptLogic Corporation - C:\Program Files\DesktopAuthority\DesktopAuthority.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

  • 0

#9
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#10
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
As far as I know, everything is running fine. Thanks again for the speedy and effective response! You guys rock.
  • 0

#11
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
  • Click Start. Open My Computer.
  • Select the Tools menu and click Folder Options. Select the View Tab.
  • Under the Hidden files and folders heading deselect "Show hidden files and folders".
  • Check the "Hide protected operating system files (recommended)" option.
  • Click Yes to confirm. Click OK.
2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#12
Goryus

Goryus

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Also done! I'd officially say I owe you one. :tazz:
  • 0

#13
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP