Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

reappearing malware... [RESOLVED]

Started by mattfili , Nov 07 2005 06:14 PM

  • This topic is locked This topic is locked

#16
mattfili
Posted 13 November 2005 - 04:58 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
well, this is a little interesting... rundll32.exe does not appear in the list.
  • 0

Advertisements

#17
Buckeye_Sam
Posted 13 November 2005 - 05:00 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Does C:\WINDOWS\SYSTEM32\guard.tmp show up in your list of files?

If so, proceed with the fix and don't worry about it.
  • 0

#18
mattfili
Posted 13 November 2005 - 05:01 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
no, it does not appear
  • 0

#19
Buckeye_Sam
Posted 13 November 2005 - 05:03 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Do all of the other files appear? What shows up in the drop down list?
  • 0

#20
mattfili
Posted 13 November 2005 - 05:06 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
C:\WINDOWS\SYSTEM32\g8040idqe80e0.dll
C:\WINDOWS\SYSTEM32\ioput.dll
C:\WINDOWS\SYSTEM32\moisip.dll
C:\WINDOWS\SYSTEM32\l02s0af7ed2.dll
C:\WINDOWS\SYSTEM32\vwajet32.dll
C:\WINDOWS\SYSTEM32\mvn6l95s1.dll
C:\WINDOWS\SYSTEM32\j2j6lc1s1f.dll
C:\WINDOWS\SYSTEM32\g2220cfoef2c0.dll
C:\WINDOWS\SYSTEM32\SysRes.exe
C:\WINDOWS\SYSTEM32\networknbh.exe

all appear,
C:\WINDOWS\SYSTEM32\guard.tmp is the only file that does not
  • 0

#21
Buckeye_Sam
Posted 13 November 2005 - 05:11 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Are you in Safe mode or normal?
  • 0

#22
mattfili
Posted 13 November 2005 - 05:12 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
normal
  • 0

#23
Buckeye_Sam
Posted 13 November 2005 - 05:17 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Double check one more time for me to be sure that rundll32.exe not showing up. Then try to add C:\WINDOWS\SYSTEM32\guard.tmp to this list.

Then go ahead and run through the fix regardless of whether you can get it there or not. We may have to run through it again, but we'll see.

Post the logs when you are done.
  • 0

#24
mattfili
Posted 13 November 2005 - 05:54 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
all the files deleted excpt C:\WINDOWS\SYSTEM32\guard.tmp, and kill box said the file did not exist. I ran a reboot after kill box.

lm2fix could not open in normal mode, so i tried running it in safe mode. After the welcome screen, a registry editor prompt appeared which said "Cannot export backregs\9161303C-C190-446C-995C-55334186BFCC.reg: Error opening file. There may be a disk or file system error."

then some green cmd screen was scanning, and it disappeared and nothing loaded.

Hijackthis log was also taken from safe mode, as it would not open in normal.

********
5:23 PM: | Start of Session, Sunday, November 13, 2005 |
5:23 PM: Spy Sweeper started
5:23 PM: Sweep initiated using definitions version 572
5:23 PM: Starting Memory Sweep
5:25 PM: Memory Sweep Complete, Elapsed Time: 00:01:33
5:25 PM: Starting Registry Sweep
5:25 PM: Registry Sweep Complete, Elapsed Time:00:00:13
5:25 PM: Starting Cookie Sweep
5:25 PM: Found Spy Cookie: atlas dmt cookie
5:25 PM: matt@atdmt[2].txt (ID = 2253)
5:25 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:25 PM: Starting File Sweep
5:29 PM: File Sweep Complete, Elapsed Time: 00:04:36
5:29 PM: Full Sweep has completed. Elapsed time 00:06:25
5:29 PM: Traces Found: 1
5:30 PM: Removal process initiated
5:30 PM: Quarantining All Traces: atlas dmt cookie
5:30 PM: Removal process completed. Elapsed time 00:00:00


Logfile of HijackThis v1.99.1
Scan saved at 5:44:58 PM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VGATune] VGATune.exe
O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\Run: [SystemRestore] SysRes.exe
O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
O4 - HKLM\..\RunServices: [SystemRestore] SysRes.exe
O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VGATune] VGATune.exe
O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
O4 - HKCU\..\Run: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
O4 - HKCU\..\Run: [SystemRestore] SysRes.exe
O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
O4 - HKCU\..\RunServices: [SystemRestore] SysRes.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)
  • 0

#25
mattfili
Posted 13 November 2005 - 05:58 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
and the l2mfix option 1 report, taken from safe mode:

L2MFIX find log 1.04a
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{8FF43EAA-2BB1-4A53-8E18-D9221E56E593}"="CePMTab Property Sheet"
"{9ED66769-A198-41FE-8615-601691C68846}"="TouchPad Property Sheet"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
gve_32.dll Mon Nov 7 2005 5:50:24p A.... 0 0.00 K
islzma.dll Fri Oct 21 2005 3:50:14p A.... 102,912 100.50 K
px.dll Wed Sep 14 2005 1:17:44p A.... 462,848 452.00 K
pxdrv.dll Wed Sep 14 2005 1:17:44p A.... 319,488 312.00 K
pxmas.dll Wed Sep 14 2005 1:17:44p A.... 143,360 140.00 K
pxwave.dll Wed Sep 14 2005 1:17:44p A.... 286,720 280.00 K
sirenacm.dll Wed Oct 12 2005 5:11:06p A.... 118,784 116.00 K
vxblock.dll Wed Sep 14 2005 1:17:44p A.... 28,672 28.00 K
wrlogo~1.dll Mon Oct 24 2005 12:19:50p A.... 492,544 481.00 K
wrlzma.dll Mon Oct 24 2005 12:19:46p A.... 17,920 17.50 K

10 items found: 10 files, 0 directories.
Total of file sizes: 1,973,248 bytes 1.88 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is S3A1519D001
Volume Serial Number is F8F4-FFC8

Directory of C:\WINDOWS\System32

11/06/2005 04:37 AM <DIR> dllcache
12/11/2003 03:46 PM <DIR> Microsoft
10/17/2003 05:34 PM 11,264 Thumbs.db
1 File(s) 11,264 bytes
2 Dir(s) 72,164,507,648 bytes free
  • 0

Advertisements

#26
Buckeye_Sam
Posted 14 November 2005 - 04:53 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That did it! Now let's work on the rest of the stuff you have.

First we need to download and prepare some tools that we will need to fix your problem.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download Adaware SE 1.06
    Install Adaware and check for updates, but don't run it yet.

  • Please download CleanUp 4.0
    Install CleanUp, but don't run it yet.

==============


Now that you have the right tools we can start fixing your problem.

Please make sure that you can View Hidden Files


Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============


Once in Safe mode, follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    O4 - HKLM\..\Run: [VGATune] VGATune.exe
    O4 - HKLM\..\Run: [Microsoft Network Neighbourhood] networknbh.exe
    O4 - HKLM\..\Run: [SystemRestore] SysRes.exe
    O4 - HKLM\..\Run: [CD-R 64x] disk64x.exe
    O4 - HKLM\..\RunServices: [VGATune] VGATune.exe
    O4 - HKLM\..\RunServices: [Microsoft Network Neighbourhood] networknbh.exe
    O4 - HKLM\..\RunServices: [SystemRestore] SysRes.exe
    O4 - HKLM\..\RunServices: [CD-R 64x] disk64x.exe
    O4 - HKCU\..\Run: [VGATune] VGATune.exe
    O4 - HKCU\..\Run: [CD-R 64x] disk64x.exe
    O4 - HKCU\..\Run: [Microsoft Config 32] msconfigx32.exe
    O4 - HKCU\..\Run: [wmsskp] C:\WINDOWS\System32\wmsskp.exe
    O4 - HKCU\..\Run: [SystemRestore] SysRes.exe
    O4 - HKCU\..\RunServices: [VGATune] VGATune.exe
    O4 - HKCU\..\RunServices: [CD-R 64x] disk64x.exe
    O4 - HKCU\..\RunServices: [SystemRestore] SysRes.exe
    O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
    O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
    O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
    O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)


  • Delete these files (Do not be concerned if they do not exist);


    C:\WINDOWS\shost.exe
    C:\WINDOWS\System32\wmsskp.exe
    VGATune.exe
    disk64x.exe
    msconfigx32.exe
    SysRes.exe



  • Now run CleanUp
    IMPORTANT!
    CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
    If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

    Running CleanUp
    • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
    • When CleanUp starts go to the Options button (right side of CleanUp screen)
    • Move the arrow down to "Custom CleanUp!"
    • Now place a checkmark next to the following (Make sure nothing else is checked!):
      • Delete Cookies
        This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
      • Empty Recycle Bins
      • Delete Prefetch files
      • Cleanup! All Users
    • Click OK
    • Then click on the CleanUp button. This will take a short while, let it do its thing.
    • When asked to reboot system select No
    • Close CleanUp

  • Open Ad-aware and do a full scan. Remove everything that it finds.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop.
    • Close Ewido.

  • Reboot back into normal mode.

  • Please run this online virus scan - Panda Virus Scan
    • Make sure it is set to clean automatically.
    • There may be files that this scan will not remove. Please save that information to include in your next post.

  • Reboot your computer and post the following information in your next reply:
    • A new Hijackthis log
    • The Ewido log
    • The log from Panda online virus scan
Let me know how things are running and what problems you are still having.
  • 0

#27
mattfili
Posted 14 November 2005 - 07:06 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:00:12 PM, on 11/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\msdt.exe
C:\WINDOWS\shost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINDOWS\msdt.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:04:32 PM, 11/14/2005
+ Report-Checksum: EF925165

+ Scan result:

C:\!KillBox\g2220cfoef2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\g8040idqe80e0.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\ioput.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\j2j6lc1s1f.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\l02s0af7ed2.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\moisip.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\mvn6l95s1.dll -> Spyware.Look2Me : Cleaned with backup
C:\!KillBox\networknbh.exe -> Backdoor.Rbot.adf : Cleaned with backup
C:\!KillBox\vwajet32.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/bpackbox.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/dnr8019ue.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ennsl1571.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ftamebuf.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/h20qlcd51f0.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/hrjo0513e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ir6ql5j51.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/irlql5351.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/irn4l55q1.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ktpol7731.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/lankinfo.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/lv0m09d1e.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/mtndex.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/RWLCPAPI.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/ssclogon.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/wdadmoe.dll -> Spyware.Look2Me : Cleaned with backup
C:\backup.zip/guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\index1.exe -> Trojan.LowZones.cq : Cleaned with backup
C:\WINDOWS\msmedia32.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6XCLOYW9\drsmartload114a[1].exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6XCLOYW9\index1[1].exe -> Trojan.LowZones.cq : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\H8KWE8H7\drsmartload_js[1].htm -> TrojanDownloader.IstBar.j : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\Q0QPP8NS\mtrslib2[1].js -> TrojanDownloader.Small.ag : Cleaned with backup
C:\WINDOWS\system32\eraseme_15683.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\eraseme_63053.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\kaspersky.exe -> Backdoor.Rbot.adf : Cleaned with backup
C:\WINDOWS\system32\MSLs32.exe -> TrojanProxy.Ranky : Cleaned with backup
C:\WINDOWS\system32\msmedia32.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\WINDOWS\system32\nod32kui.exe -> Backdoor.Rbot.adf : Cleaned with backup
C:\WINDOWS\system32\phr.exe -> Trojan.MulDrop.1732 : Cleaned with backup
C:\WINDOWS\system32\remon.sys -> Trojan.Rootkit.Agent.ab : Cleaned with backup


::Report End


I could not get panda to scan on my computer.
  • 0

#28
Buckeye_Sam
Posted 15 November 2005 - 08:15 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm getting a better idea of what we're still dealing with here.

Download and run Stinger. Let me know what it finds.
http://download.nai....ert/stinger.exe

It should give you a log that you can post.



Now since you haven't been able to run Panda, I'd like you to run BitDefender.

Please download Bit Defender 8 Free Edition
  • Install the program and then follow the prompts to download all available updates.
  • Perform a full scan on your Local drive.
  • When the scan is complete save the log and post it back here in your next reply.

After both scans reboot and post the logs from Stinger, BitDefender, and a new hijackthis log.
  • 0

#29
mattfili
Posted 15 November 2005 - 02:18 PM

mattfili

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
stinger: McAfee AVERT Stinger Version 2.5.6 built on Aug 16 2005

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on Aug 16 2005.

Ready to scan for 54 viruses, trojans and variants.



Scan initiated on Tue Nov 15 13:20:44 2005

C:\WINDOWS\system32\i

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINDOWS\system32\i has been deleted.

C:\WINDOWS\system32\ii

Found the W32/Sdbot.worm!ftp virus !!!

C:\WINDOWS\system32\ii has been deleted.

Number of clean files: 88118

Number of infected files: 2

Number of files deleted: 2




//-----------------------------------------------------------------
//
// Product: BitDefender 8 Free Edition
// Version: 8.0
//
// Created on: 15/11/2005 13:51:38
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 2187
Files : 163298
Archives : 6975
Packed files : 12716
Identified viruses : 3
Infected files : 12
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 1
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 139
Scan time : 00:20:14
Scan speed (files/sec) : 134

Virus definitions : 233626
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-00-38.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-00-38.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-00-38.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-16-48.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-16-48.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-16-48.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Dyfuca.52104.B
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-13-50-09.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Dyfuca.52104.B
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine06-11-2005-18-27-14.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-15-48-07.xpy=>(Embedded EXE g) Infected Trojan.Downloader.TSUpdate.K
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-15-48-07.xpy=>(Embedded EXE g) Deleted
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-15-48-07.xpy Update failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-21-42-37.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-21-42-37.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-21-42-37.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Dyfuca.52104.B
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine07-11-2005-22-15-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-18-49-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Dyfuca.52104.B
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-18-49-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-18-49-00.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-19-17-21.xpy=>(Embedded EXE g)=>(Embedded EXE o) Infected Trojan.Startpage.SM
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-19-17-21.xpy=>(Embedded EXE g)=>(Embedded EXE o) Disinfection failed
C:\Program Files\XoftSpy\Quarantine\Quarantine08-11-2005-19-17-21.xpy=>(Embedded EXE g)=>(Embedded EXE o) Move failed


Logfile of HijackThis v1.99.1
Scan saved at 2:14:12 PM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ACS.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
C:\Program Files\EzButton\EzButton.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\msdt.exe
C:\WINDOWS\shost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Softwin\BitDefender8\bdswitch.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
c:\program files\softwin\bitdefender8\bdmcon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {B313D637-F405-4052-AC37-E2119AB3C8F8} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Battery Checker] C:\Program Files\TOSHIBA\Battery Checker\BtryChkr.exe
O4 - HKLM\..\Run: [EzButton] C:\Program Files\EzButton\EzButton.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: geedd - C:\WINDOWS\System32\geedd.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\System32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINDOWS\msdt.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)



on spysweeper i got some kind of promt over and over again saying "BHO Shield: found: geedd.dll"
  • 0

#30
Buckeye_Sam
Posted 15 November 2005 - 06:23 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download this file and extract it to your desktop.
http://www.atribune....ds/rdrivrem.zip

Reboot your computer into Safe Mode.[/b] You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.
**If it asks if you want to reboot or log off press NO.

4.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:


O20 - Winlogon Notify: geedd - C:\WINDOWS\System32\geedd.dll (file missing)
O23 - Service: Microsoft Distributed Transaction (MSDT) - Unknown owner - C:\WINDOWS\msdt.exe
O23 - Service: Microsoft Path Finder Service (MSpath) - Unknown owner - C:\WINDOWS\mspath.exe (file missing)
O23 - Service: DLL Manager (mswindll) - Unknown owner - C:\WINDOWS\mswindll32.exe (file missing)
O23 - Service: Service Hosts (ServiceHost) - Unknown owner - C:\WINDOWS\shost.exe
O23 - Service: Windows Stability Route (WSR) - Unknown owner - C:\WINDOWS\construct.exe (file missing)


Close HiJackThis.

Reboot your computer into normal mode.


Please run at least one of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There may be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log, the contents of rdriv.txt, and the info from your virus scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP