Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis log - slow running no malware found...?


  • Please log in to reply

#16
slystevo

slystevo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hope this is what you're looking for....

Fri Nov 04 17:51:13 2005 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.
Fri Nov 04 17:51:13 2005 => System found infected with troj/taladra-f BackDoor ({e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c})! Action taken: No Action Taken.

found this entry buried in there too......

Fri Nov 04 17:53:47 2005 => File C:\WINDOWS\system32\tmp1.com infected by "Worm.Win32.Wilab.b" Virus! Action Taken: No Action Taken.

Thanks
  • 0

Advertisements


#17
daparker

daparker

    Visiting Staff

  • Member
  • PipPipPip
  • 232 posts
Please download the Registry Search tool by clicking on the "hard drive" icon three quarters of the way down this page. Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for {19e28afc-eae3-4ce5-ac83-2407b42f57c9} and click OK. Post the logfile from the tool here for me. Do the same for {e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c}, please.

Go ahead and delete tmp1.com, as well.
  • 0

#18
slystevo

slystevo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi, as requested.........
Thanks for all your help by the way!

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{19e28afc-eae3-4ce5-ac83-2407b42f57c9}" 07/11/2005 16:28:36

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}\Programmable]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}\VersionIndependentProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsSecurityAdvisor.WindowsSecurityAdvisor\CLSID]
@="{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WindowsSecurityAdvisor.WindowsSecurityAdvisor.1\CLSID]
@="{19E28AFC-EAE3-4CE5-AC83-2407B42F57C9}"

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{e7bc34a3-ba86-11cf-84b1-cbc2da68bf6c}" 07/11/2005 16:30:34

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Control]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\InprocServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\MiscStatus\1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\ToolboxBitmap32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\TypeLib]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}\Version]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTService.Control.1\CLSID]
@="{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}"
  • 0

#19
daparker

daparker

    Visiting Staff

  • Member
  • PipPipPip
  • 232 posts
Please run Notepad and paste the following text into a new file:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C}]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTAuth]

[-HKEY_CLASSES_ROOT\CLSID\(E7BC34A3-BA86-11CF-84B1-CBC2DA68BF6C)]

[-HKEY_CLASSES_ROOT\Interface\(E7BC34A1-BA86-11CF-84B1-CBC2DA68BF6C)]

[-HKEY_CLASSES_ROOT\Interface\(E7BC34A2-BA86-11CF-84B1-CBC2DA68BF6C)]

[-HKEY_CLASSES_ROOT\NTService.Control.1\]

[-HKEY_CLASSES_ROOT\TypeLib\(E7BC34A0-BA86-11CF-84B1-CBC2DA68BF6C)]]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NTService.Control.1]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Delete the following file:
C:\Windows\System32\ntsvc.ocx

The other appears to be a false positive by MWav.

Reboot your computer and run a new scan with MWav and post its results, as before.
  • 0

#20
slystevo

slystevo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ok trojan has gone and so has the tmp1.com worm.

the file C:\Windows\System32\ntsvc.ocx does not exist though.

The MWAV log still lists the email flooder.....
Mon Nov 07 17:37:27 2005 => System found infected with w32/rbot-ank Email-Flooder ({19e28afc-eae3-4ce5-ac83-2407b42f57c9})! Action taken: No Action Taken.
  • 0

#21
daparker

daparker

    Visiting Staff

  • Member
  • PipPipPip
  • 232 posts
Good to hear. The Email-Flooder appears to be a false positive by MWav. If you like we can run some other scans to confirm that. MWav is known to have false positives, though.
  • 0

#22
slystevo

slystevo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hi, thanks for all your help. You're probably right about the false positive. I couldn't find anything with Panda or Trendmicro housecall or Ewido so its probably nothing. Out of interest though I googled w32/rbot-ank Email-Flooder and it came up with a forum that told the user to format and reinstall their system! see http://forum.hijackt...p?t=9895&page=2. Also found a page that reckons its a load of rubbish and its a scam by MWAV. see http://discussions.v...43&page=2&pp=15 He sounds like a paranoid lunatic to me but thought it might interest you.

If you think its safe we'll leave it but I'm willing to try anything else you suggest just to make sure. Thanks
  • 0

#23
daparker

daparker

    Visiting Staff

  • Member
  • PipPipPip
  • 232 posts
Well, I was going to suggest an online scan by Panda and/or Housecall, but since you did those already, I think we have this one whipped. Anything else you needed help with?
  • 0

#24
slystevo

slystevo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
no thats great. Thanks again for all your help!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP