Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

CWS malware [CLOSED]


  • This topic is locked This topic is locked

#1
eladbenda

eladbenda

    New Member

  • Member
  • Pip
  • 4 posts
hi,
i have on my system spam attack...
i used the following programs:
Spy sweeper,
AVG antivirus
spy bot search& destroy
trojan hunter
adware se

they all find malware and delete the files , but it all come back again in other names...

this is my log:

Logfile of HijackThis v1.99.1
Scan saved at 08:42:45, on 14/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\atlmt.exe
C:\WINDOWS\system32\ntef32.exe
C:\Documents and Settings\Benda\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {02B481BA-C588-7AF1-0EFF-F69B008B338C} - C:\WINDOWS\apppm32.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0BF7595C-037E-FC87-CF31-B6FA7401041A} - C:\WINDOWS\addfu32.dll (file missing)
O2 - BHO: Class - {1022D6A6-AAF4-9850-B1C0-C2130FA14266} - C:\WINDOWS\system32\addtx.dll (file missing)
O2 - BHO: Class - {18F5769A-6A75-760A-F6D5-5515138BC965} - C:\WINDOWS\system32\apiyk32.dll (file missing)
O2 - BHO: Class - {1AC3EC09-3F6B-456A-FECF-1D4C70AEB8B2} - C:\WINDOWS\atlac.dll (file missing)
O2 - BHO: Class - {2E350B02-5DF7-6B28-7904-897D53CA0AB7} - C:\WINDOWS\ieyf32.dll (file missing)
O2 - BHO: Class - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atldq32.dll (file missing)
O2 - BHO: Class - {3EAAB545-5DA5-D593-1DC7-5C6B1EC765D8} - C:\WINDOWS\system32\sdkbw.dll (file missing)
O2 - BHO: Class - {3F18D253-A986-C896-9157-85378BE2E152} - C:\WINDOWS\system32\ntpm32.dll (file missing)
O2 - BHO: Class - {4197FF54-5C18-A7E5-9CC3-32130092E2A4} - C:\WINDOWS\crnk32.dll (file missing)
O2 - BHO: Class - {516B05B7-D345-D25A-1547-83C52F819898} - C:\WINDOWS\ipxb32.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {5B6D32FC-7E68-F50D-861F-4041172E35C4} - C:\WINDOWS\system32\sysbh.dll (file missing)
O2 - BHO: Class - {5FD30CE7-0DCC-51E7-8545-3F1D6198A4F5} - C:\WINDOWS\system32\iegh32.dll (file missing)
O2 - BHO: Class - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\sysqq.dll (file missing)
O2 - BHO: Class - {68DEE458-C434-7DFA-9793-DFC94F3C9C3B} - C:\WINDOWS\appzy32.dll (file missing)
O2 - BHO: Class - {6BFB4F8E-42B3-1853-FED2-0CE716BE6757} - C:\WINDOWS\system32\d3aa.dll (file missing)
O2 - BHO: Class - {7646BE06-290C-EE4C-F003-E41039CFEDB4} - C:\WINDOWS\system32\cryb.dll (file missing)
O2 - BHO: Class - {7ADE1326-D284-F0A5-10FF-77792B035B54} - C:\WINDOWS\msqf.dll (file missing)
O2 - BHO: Class - {7B79D3C0-5BA6-4760-51E7-D201FEA013C7} - C:\WINDOWS\system32\javacu32.dll (file missing)
O2 - BHO: Class - {80DAA425-DA60-3DA0-927D-F4CE735B581F} - C:\WINDOWS\sysng32.dll (file missing)
O2 - BHO: Class - {8EABB85C-4D63-D1BB-01F2-AE33BBD7CE6A} - C:\WINDOWS\system32\syszi.dll (file missing)
O2 - BHO: Class - {9155F4A4-C9AF-713E-C968-01E619660034} - C:\WINDOWS\crtp32.dll (file missing)
O2 - BHO: Class - {924B4D7B-F300-E37F-AE93-3DD350DA5B57} - C:\WINDOWS\system32\winad32.dll
O2 - BHO: Class - {A72CF6EF-6CF2-42D8-2DB0-27CB6FCBFF6A} - C:\WINDOWS\winfa.dll (file missing)
O2 - BHO: Class - {A9A7088B-63E9-D824-8BED-B299CE8A4339} - C:\WINDOWS\system32\ieou.dll (file missing)
O2 - BHO: Class - {B9C08788-99E3-0FDE-627D-4CBCC68F6D36} - C:\WINDOWS\sysmv32.dll (file missing)
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apikn.dll (file missing)
O2 - BHO: Class - {D46BCBAD-B2DB-4BFA-6795-B84A766FCDDF} - C:\WINDOWS\system32\apids.dll (file missing)
O2 - BHO: Class - {DD2786BE-3BE2-FC80-F475-561735175B9A} - C:\WINDOWS\system32\ieyl32.dll (file missing)
O2 - BHO: Class - {DEE73BDA-597A-B499-19B2-6F569DFF8BCF} - C:\WINDOWS\d3ut.dll (file missing)
O2 - BHO: Class - {DF51367E-27AA-E116-5B49-FD93BFC70C15} - C:\WINDOWS\system32\addax32.dll (file missing)
O2 - BHO: Class - {E42B61C2-66D3-07B5-A6D8-5FD00BC22603} - C:\WINDOWS\system32\netqw.dll
O2 - BHO: Class - {F58F81C3-2AC2-0FE8-BD83-A5E72B3E58A3} - C:\WINDOWS\system32\ipwf.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
O4 - HKLM\..\Run: [ipez32.exe] C:\WINDOWS\system32\ipez32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123783589046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B59155CE-4ECF-464C-B978-0F366586346B}: NameServer = 80.74.96.3 80.74.96.4
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A9F053-D7FE-47EF-B759-5656544D375D}: NameServer = 192.114.47.4,192.114.47.52
O23 - Service: Network Security Service (NSS) ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\atlmt.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

thanks alot.
elad
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

We are going to need some tools to remove this infection. Please download, install, and update any of these programs that you don't already have. Do not run any of them yet.Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • For more info on how to show hidden files click here.

If you have problems with any of these steps make a note of the problem and then continue on to the next step. Let me know of any problems in your next reply. Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============

Once in Safe mode follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {02B481BA-C588-7AF1-0EFF-F69B008B338C} - C:\WINDOWS\apppm32.dll (file missing)
    O2 - BHO: Class - {0BF7595C-037E-FC87-CF31-B6FA7401041A} - C:\WINDOWS\addfu32.dll (file missing)
    O2 - BHO: Class - {1022D6A6-AAF4-9850-B1C0-C2130FA14266} - C:\WINDOWS\system32\addtx.dll (file missing)
    O2 - BHO: Class - {18F5769A-6A75-760A-F6D5-5515138BC965} - C:\WINDOWS\system32\apiyk32.dll (file missing)
    O2 - BHO: Class - {1AC3EC09-3F6B-456A-FECF-1D4C70AEB8B2} - C:\WINDOWS\atlac.dll (file missing)
    O2 - BHO: Class - {2E350B02-5DF7-6B28-7904-897D53CA0AB7} - C:\WINDOWS\ieyf32.dll (file missing)
    O2 - BHO: Class - {2EE72B4F-E40E-EFB8-15AA-4EB5AE709679} - C:\WINDOWS\system32\atldq32.dll (file missing)
    O2 - BHO: Class - {3EAAB545-5DA5-D593-1DC7-5C6B1EC765D8} - C:\WINDOWS\system32\sdkbw.dll (file missing)
    O2 - BHO: Class - {3F18D253-A986-C896-9157-85378BE2E152} - C:\WINDOWS\system32\ntpm32.dll (file missing)
    O2 - BHO: Class - {4197FF54-5C18-A7E5-9CC3-32130092E2A4} - C:\WINDOWS\crnk32.dll (file missing)
    O2 - BHO: Class - {516B05B7-D345-D25A-1547-83C52F819898} - C:\WINDOWS\ipxb32.dll (file missing)
    O2 - BHO: Class - {5B6D32FC-7E68-F50D-861F-4041172E35C4} - C:\WINDOWS\system32\sysbh.dll (file missing)
    O2 - BHO: Class - {5FD30CE7-0DCC-51E7-8545-3F1D6198A4F5} - C:\WINDOWS\system32\iegh32.dll (file missing)
    O2 - BHO: Class - {5FD34605-9D7C-45FB-AA12-0B1E9432128B} - C:\WINDOWS\system32\sysqq.dll (file missing)
    O2 - BHO: Class - {68DEE458-C434-7DFA-9793-DFC94F3C9C3B} - C:\WINDOWS\appzy32.dll (file missing)
    O2 - BHO: Class - {6BFB4F8E-42B3-1853-FED2-0CE716BE6757} - C:\WINDOWS\system32\d3aa.dll (file missing)
    O2 - BHO: Class - {7646BE06-290C-EE4C-F003-E41039CFEDB4} - C:\WINDOWS\system32\cryb.dll (file missing)
    O2 - BHO: Class - {7ADE1326-D284-F0A5-10FF-77792B035B54} - C:\WINDOWS\msqf.dll (file missing)
    O2 - BHO: Class - {7B79D3C0-5BA6-4760-51E7-D201FEA013C7} - C:\WINDOWS\system32\javacu32.dll (file missing)
    O2 - BHO: Class - {80DAA425-DA60-3DA0-927D-F4CE735B581F} - C:\WINDOWS\sysng32.dll (file missing)
    O2 - BHO: Class - {8EABB85C-4D63-D1BB-01F2-AE33BBD7CE6A} - C:\WINDOWS\system32\syszi.dll (file missing)
    O2 - BHO: Class - {9155F4A4-C9AF-713E-C968-01E619660034} - C:\WINDOWS\crtp32.dll (file missing)
    O2 - BHO: Class - {924B4D7B-F300-E37F-AE93-3DD350DA5B57} - C:\WINDOWS\system32\winad32.dll
    O2 - BHO: Class - {A72CF6EF-6CF2-42D8-2DB0-27CB6FCBFF6A} - C:\WINDOWS\winfa.dll (file missing)
    O2 - BHO: Class - {A9A7088B-63E9-D824-8BED-B299CE8A4339} - C:\WINDOWS\system32\ieou.dll (file missing)
    O2 - BHO: Class - {B9C08788-99E3-0FDE-627D-4CBCC68F6D36} - C:\WINDOWS\sysmv32.dll (file missing)
    O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apikn.dll (file missing)
    O2 - BHO: Class - {D46BCBAD-B2DB-4BFA-6795-B84A766FCDDF} - C:\WINDOWS\system32\apids.dll (file missing)
    O2 - BHO: Class - {DD2786BE-3BE2-FC80-F475-561735175B9A} - C:\WINDOWS\system32\ieyl32.dll (file missing)
    O2 - BHO: Class - {DEE73BDA-597A-B499-19B2-6F569DFF8BCF} - C:\WINDOWS\d3ut.dll (file missing)
    O2 - BHO: Class - {DF51367E-27AA-E116-5B49-FD93BFC70C15} - C:\WINDOWS\system32\addax32.dll (file missing)
    O2 - BHO: Class - {E42B61C2-66D3-07B5-A6D8-5FD00BC22603} - C:\WINDOWS\system32\netqw.dll
    O2 - BHO: Class - {F58F81C3-2AC2-0FE8-BD83-A5E72B3E58A3} - C:\WINDOWS\system32\ipwf.dll (file missing)
    O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
    O4 - HKLM\..\Run: [ipez32.exe] C:\WINDOWS\system32\ipez32.exe
    O23 - Service: Network Security Service (NSS) ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\atlmt.exe


  • Next run CWShredder, making sure to click "Fix".


  • Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido


  • Finally run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log, the Ewido log, and the log from About Buster.
* If the Ewido log is too large to post please attach it to your next reply so that I can still review it.
  • 0

#3
eladbenda

eladbenda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hi.
i did all, this is the log:
AboutBuster 5.1, reference file 32
Scan started on [25/10/2005] at [18:49:14]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\dgsgb.dat
Removed File! : C:\WINDOWS\jbdgb.dat
Removed File! : C:\WINDOWS\lxafd.dat
Removed File! : C:\WINDOWS\qgtca.dat
Removed File! : C:\WINDOWS\rfbwo.dat
Removed File! : C:\WINDOWS\system32\cljfd.dat
Removed File! : C:\WINDOWS\system32\ebbgj.dat
Removed File! : C:\WINDOWS\system32\ecylk.dat
Removed File! : C:\WINDOWS\system32\ildow.dat
Removed File! : C:\WINDOWS\system32\jobyw.dat
Removed File! : C:\WINDOWS\system32\ovxfw.dat
Removed File! : C:\WINDOWS\system32\wluhi.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 18:50:49







Logfile of HijackThis v1.99.1
Scan saved at 20:44:36, on 25/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ipve32.exe
C:\WINDOWS\system32\atlux32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\Benda\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0707DBFD-EC1E-ADBE-C44B-038A3D264C94} - C:\WINDOWS\system32\atlux32.dll
O2 - BHO: Class - {BD2572C3-91F3-D764-96F0-7518D05E9428} - C:\WINDOWS\appxx.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [atlux32.exe] C:\WINDOWS\system32\atlux32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123783589046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A9F053-D7FE-47EF-B759-5656544D375D}: NameServer = 192.114.47.4,192.114.47.52
O23 - Service: Workstation NetLogon Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\system32\ipve32.exe" /s (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



the Evido fails to run succesfully (i think), as it found few bad files, but it sudenly stop working and the prog "disappeared". this it the only log i found:

file: logfile.txt
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You still have signs of the CWS infection in your log.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: Class - {0707DBFD-EC1E-ADBE-C44B-038A3D264C94} - C:\WINDOWS\system32\atlux32.dll
O2 - BHO: Class - {BD2572C3-91F3-D764-96F0-7518D05E9428} - C:\WINDOWS\appxx.dll
O4 - HKLM\..\Run: [atlux32.exe] C:\WINDOWS\system32\atlux32.exe
O23 - Service: Workstation NetLogon Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\system32\ipve32.exe" /s (file missing)



Delete these files, if present.

C:\WINDOWS\appxx.dll
C:\WINDOWS\system32\atlux32.dll
C:\WINDOWS\system32\atlux32.exe



Reboot and post a new hijackthis log.
  • 0

#5
eladbenda

eladbenda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
hi.
i did what u said.
this is my new log
Logfile of HijackThis v1.99.1
Scan saved at 01:14:15, on 27/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\javaxw.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ipto32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\Documents and Settings\Benda\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ynet.co.il
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {C0C47BA7-3AAA-10E3-3AED-070DDAD18C68} - C:\WINDOWS\system32\msun32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O8 - Extra context menu item: &יצא ל- Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: מחקר - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123783589046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F8A9F053-D7FE-47EF-B759-5656544D375D}: NameServer = 192.114.47.4,192.114.47.52
O23 - Service: Workstation NetLogon Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\system32\ipve32.exe" /s (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


thanks.
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Still there.

Please fix these lines with Hijackthis.

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {C0C47BA7-3AAA-10E3-3AED-070DDAD18C68} - C:\WINDOWS\system32\msun32.dll
O23 - Service: Workstation NetLogon Service ( 11Fה#·÷ִײ`I) - Unknown owner - C:\WINDOWS\system32\ipve32.exe" /s (file missing)



See if you can get Ewido to scan again. If not, run a scan with Spysweeper.

Reboot and post a new hijackthis log and the log from either Spysweeper or Ewido.
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP