Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

wordpad.exe virus [RESOLVED]


  • This topic is locked This topic is locked

#1
munky

munky

    Member

  • Member
  • PipPip
  • 33 posts
eff! Also, when I start my comp. firefox opens a window and cmd.exe opens up and runs all this stuff then errors out b/c it says 'administrator denies change to reg" or something..
Here's my HJT log. Hope you can help.

Logfile of HijackThis v1.99.1
Scan saved at 8:30:46 PM, on 9/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sysmanager.exe
C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Cisco\Clean Access\CCAAgent.exe
C:\WINDOWS\System32\wuauclt.exe
E:\Program Files\firefox.exe
E:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [RemoteCenter] E:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Clean Access Agent.lnk = E:\Program Files\Cisco\Clean Access\CCAAgent.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126545209156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126737490781
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did Ewido find anything in Safe Mode?

Upload this file (C:\WINDOWS\sysmanager.exe) to http://virusscan.jotti.org and report back what it found.
  • 0

#3
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Here's what Ewido found:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:37:19 PM, 9/18/2005
+ Report-Checksum: 86313864

+ Scan result:

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0NAUOU0W\m11[1].jpg/y.bat -> Trojan.Zapchast : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.107:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.170:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.171:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Munks\Application Data\Mozilla\Firefox\Profiles\djvazmyu.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\gfhbh.exe/y.bat -> Trojan.Zapchast : Cleaned with backup
C:\WINDOWS\ra.reg -> Trojan.WinREG.LowZones.f : Cleaned with backup
C:\WINDOWS\y.bat -> Trojan.Zapchast : Cleaned with backup


::Report End

---------------------------------
I uploaded the file you told me:
Service load:
0% 100%
File: sysmanager.exe
Status:
INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 e3740152efc9ecb7b7bb839a1fb9ccae
Packers detected:
PE-CRYPT.ANTIDEB, UPX
Scanner results
AntiVir
Found Worm/SdBot.aad.175
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Backdoor.SDBot.08D6C255
ClamAV
Found nothing
Dr.Web
Found Win32.HLLW.MyBot
F-Prot Antivirus
Found nothing
Fortinet
Found W32/SDBot.AAD-bdr
Kaspersky Anti-Virus
Found Backdoor.Win32.SdBot.aad
NOD32
Found a variant of IRC/SdBot
Norman Virus Control
Found nothing
UNA
Found nothing
VBA32
Found Backdoor.Win32.SdBot.aad
--------------------------------------

Here's a new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:47:49 PM, on 9/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\sysmanager.exe
E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
E:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\YzShadow\YzShadow.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\firefox.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] E:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Program Files\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126545209156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126737490781
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Make sure you downloaded, installed, updated and ran these programs (run in Safe Mode) already - Ad-aware, Spybot and Ewido. If you didn't, do them now. For more information, go to http://www.greyknigh...com/spyware.htm

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop SystemManager
sc delete SystemManager
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in SystemManager and hit OK.

Go to Start->Run and type in services.msc and hit OK. Then look for SystemManager and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\sysmanager.exe

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#5
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I had some problems with the whole process...

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in SystemManager  and hit OK.

Says it is Unable to Delete

Go to Start->Run and type in services.msc and hit OK. Then look for SystemManager  and double click on it. Click on the Stop button and under Startup type, choose Disabled.

The Stop button is unclickable. When I clicked "OK" it said that it was "Marked for Deletion"

O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe

Did not exist in the HJT log.
-----------------------------------

Anyway.. here's the HJT this log..

Logfile of HijackThis v1.99.1
Scan saved at 9:08:46 PM, on 9/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Wintab32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CTHELPER.EXE
E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Program Files\RK Launcher\RKLauncher.exe
C:\Program Files\WinRoll\winroll.exe
C:\Program Files\YzShadow\YzShadow.exe
E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
E:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
E:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] E:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [RemoteControl] "E:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [RemoteCenter] E:\Program Files\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] E:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [RK Launcher] C:\Program Files\RK Launcher\RKLauncher.exe
O4 - HKCU\..\Run: [WinRoll] C:\Program Files\WinRoll\winroll.exe
O4 - HKCU\..\Run: [Yz Shadow] C:\Program Files\YzShadow\YzShadow.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126545209156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1126737490781
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - E:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINDOWS\System32\Wintab32.exe
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
The only problem now is my recycle bin shows there are 4 objects in it totalling 1.91kB, but it doesn't do anything when I empty it, or restore them.

Any help?
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Create a dummy file and delete it. Empty it from the Recycle Bin. Does that fix it up? If not, try this:

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.
  • 0

#9
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
I ran CleanUp! but I STILL have the files in my recycle bin... and I've added stuff to it, and removed those fine..
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So you actually see it in your Recycle Bin? OK, what are the filenames of these 4 files?
  • 0

Advertisements


#11
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
No, I don't see them. I did have RKLauncher on my comp.. and when I ran the mouse over the recycle bin it said 4 Items 1.91kB. And it shows the recycle bin as having something in it anyway.. and it'll ask if I'm sure I want to remove all the items.. but no, it does not show the files themselves.. also, i do have 'show hidden files' turned on.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, what are the names of the four files? To confirm, do this:

Go to Start->Run and type in cmd and hit OK. Then type in:

dir c:\recycler\ > c:\recycle.txt

and hit ENTER. Type exit and hit ENTER. Go to c: drive and open up recycle.txt and post what's listed there. Delete that file when you are done.
  • 0

#13
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
It said File Not Found.

Volume in drive C has no label.
Volume Serial Number is 744A-EE02

Directory of c:\recycler


I have a RECYCLER (all caps) in my c:\ folder.. that when I open it I see a recycle bin and all..and if i go through it and empty it still does nothing.. Also, when I type it in cmd I get the same thing

Edited by munky, 22 September 2005 - 09:16 PM.

  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I think this is Windows related (not virus or spyware). Try this last suggestion:

Go to Start->Run and type in sfc /scannow and hit OK. Let it scan. If it finds any files missing/corrupted, it may ask for the Windows CD.

If that doesn't work, create a new topic in the Windows forum and ask it there. Then post back here one more time and I will close this topic.
  • 0

#15
munky

munky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 33 posts
Ok. Thanks.

You can close this thread now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP