Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Backdoor.SdBot.aad, elitum [RESOLVED]

Started by edwardvinke , Oct 01 2005 06:52 AM

  • This topic is locked This topic is locked

#1
edwardvinke
Posted 01 October 2005 - 06:52 AM

edwardvinke

    New Member

  • Member
  • Pip
  • 3 posts
I can't get rid off the viruses on my PC. Please help.

Here's the log from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 14:43:36, on 1-10-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Edward\Mijn documenten\Install software\Virus hulpprogrammas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127940839562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: winauthm (spdauth) - Unknown owner - C:\WINDOWS\spdauth.exe (file missing)
  • 0

Advertisements

#2
greyknight17
Posted 01 October 2005 - 04:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop spdauth
sc delete spdauth
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Go into HijackThis->Config->Misc Tools->Delete an NT service and type in spdauth and hit OK.

Go to Start->Run and type in services.msc and hit OK. Then look for winauthm (spdauth) and double click on it. Click on the Stop button and under Startup type, choose Disabled.

Run BOTH these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and post a new HijackThis log along with the Panda log.
  • 0

#3
edwardvinke
Posted 02 October 2005 - 01:05 AM

edwardvinke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Kevin,

Thanks for your help. I've done everything you said.
1. HJT could not find the SPDAUTH service.
2. The winauthm was not running in the services either.
3. Trend housecall didn't find anything.
4. Panda scan found 1 spyware, see report below:


Incident Status Location

Adware:adware/block-checker No disinfected Windows Registry

5. AVG started it's own scheduled scan on my pc and found 22 viruses. See report below:

Trojan horse Generic.BJX C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004344.dll 2-10-2005 8:30:54 A0004344.dll 20.5 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004370.dll 2-10-2005 8:30:54 A0004370.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004385.dll 2-10-2005 8:30:54 A0004385.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004422.dll 2-10-2005 8:30:54 A0004422.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP66\A0004435.dll 2-10-2005 8:30:54 A0004435.dll 4 KB
Trojan horse Generic.BJW C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005436.dll 2-10-2005 8:30:55 A0005436.dll 4 KB
Trojan horse Generic.BJX C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005919.dll 2-10-2005 8:30:55 A0005919.dll 20.5 KB
Trojan horse Generic.BJV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005974.exe 2-10-2005 8:30:55 A0005974.exe 128 KB
Trojan horse Dropper.Agent.PV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0005976.exe 2-10-2005 8:30:55 A0005976.exe 156 KB
Trojan horse IRC/BackDoor.SdBot.LPV C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP67\A0006085.pif 2-10-2005 8:30:55 A0006085.pif 120 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006797.sys 2-10-2005 8:30:55 A0006797.sys 7 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006802.sys 2-10-2005 8:30:55 A0006802.sys 7 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP71\A0006808.sys 2-10-2005 8:30:55 A0006808.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006818.exe 2-10-2005 8:30:55 A0006818.exe 57.5 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006819.sys 2-10-2005 8:30:55 A0006819.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006820.exe 2-10-2005 8:30:55 A0006820.exe 57.5 KB
Trojan horse Generic.GM C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP72\A0006821.sys 2-10-2005 8:30:55 A0006821.sys 7 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006873.exe 2-10-2005 8:30:55 A0006873.exe 57.5 KB
Trojan horse IRC/BackDoor.SdBot.JFG C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006922.exe 2-10-2005 8:30:55 A0006922.exe 57.5 KB
Trojan horse Generic.BJT C:\System Volume Information\_restore{CEBB7E7F-3CAB-4D2B-B436-BAEB3A2F1303}\RP73\A0006943.EXE 2-10-2005 8:30:55 A0006943.EXE 220 KB
Trojan horse BackDoor.Generic.OFP C:\WINDOWS\system32\winjava.exe 2-10-2005 8:30:55 winjava.exe 20 KB

6. Here's the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:38:10, on 2-10-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\win.pif
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Edward\Mijn documenten\Install software\Virus hulpprogrammas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Windows Security] win.pif
O4 - HKLM\..\RunServices: [Windows Security] win.pif
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Security] win.pif
O4 - HKCU\..\RunServices: [Windows Security] win.pif
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127940839562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

There's still something wrong on my pc. I've got 4 users, and when I do a fast user switch and try to log in under one of the users, it starts asking me for a password. But I don't have a passwords set to any of the users. I can't log in then and have of restart my pc. Also if my pc has run for a few hours, it's not possible anymore to open the taskmanager. It will open but only as an icon in the systemtray.

Hope you can help me any further.
Edward
  • 0

#4
greyknight17
Posted 02 October 2005 - 07:26 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Edward, don't worry, we are not done yet....so let's continue:

Make sure you do the below in RED and restarted (and enabled system restore again).

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools (or View)->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders (it's Show all files for Windows 98).
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKLM\..\Run: [Windows Security] win.pif
O4 - HKLM\..\RunServices: [Windows Security] win.pif
O4 - HKCU\..\Run: [Windows Security] win.pif
O4 - HKCU\..\RunServices: [Windows Security] win.pif

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\winjava.exe
C:\WINDOWS\System32\win.pif

Restart and run the Panda scan again. Save the log file and post it here along with a new HijackThis log.
  • 0

#5
edwardvinke
Posted 02 October 2005 - 01:23 PM

edwardvinke

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I removed the registry entries.
I couldn't find the files winjava.exe and win.pif. i did a search of my C-drive, only a prefetch file called win.pif-something was found. I deleted this one.

In the mean time I have also done an update of XP. I updated to SP2 now. Hope that wasn't a bad thing to do....



The activescan report:


Incident Status Location

Adware:adware/block-checker No disinfected Windows Registry

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 21:20:57, on 2-10-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Edward\Mijn documenten\Install software\Virus hulpprogrammas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-24.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1127940839562
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadbl...ivex/sabspx.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


What's next?
  • 0

#6
greyknight17
Posted 03 October 2005 - 03:02 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Nope, we got rid of it so getting SP2 shouldn't be a problem :tazz:

Just in case you're wondering, don't worry about that registry entry found by Panda...minor/harmless.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#7
greyknight17
Posted 17 October 2005 - 05:48 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP