Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please!


  • This topic is locked This topic is locked
29 replies to this topic

#1 stu

stu

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 04 February 2005 - 12:20 PM

You guys were gracious enough to assist me before with one of my own PC's that when a friend said he was having problems with his I suggested he post something here to get assistance. Unfortunately he wasn't able to do so due to all the problems he was having so I offered to do it for him. Below is the highjackthis log from his PC. Any and all help greatly appreciated!

Logfile of HijackThis v1.97.7
Scan saved at 11:11:39 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\WINDOWS\System32\bnqimi.exe
C:\WINDOWS\System32\rundll32.exe
C:\program files\180solutions\sais.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\System32\ynusesiikl4zs8thd.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoursearch247.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?newlx (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearch247.com/se.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wyayp.dll/index.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?newlx (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://win-eto.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?newlx (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?newlx (obfuscated)
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\WINDOWS\System32\fea93k.dll
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\9YLX91~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [sdkfn.exe] C:\WINDOWS\system32\sdkfn.exe
O4 - HKLM\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [zrhkxmgfanls] C:\WINDOWS\System32\bnqimi.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [lirgx] C:\WINDOWS\lirgx.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [Control handler] C:\WINDOWS\System32\ynusesiikl4zs8thd.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - HKCU\..\Run: [Windows Security Assistant] C:\WINDOWS\system32\rundll32.vbe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: SideFind (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Locators.com Search Bar (HKLM)
O9 - Extra 'Tools' menuitem: Locators.com Search Bar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {1E89F686-B78D-4C85-9EFC-3474516E3FE2} - http://ultimateplugin.com/plugin/109185.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4...006_regular.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://www101.coolsavings.com/download/cscmv5X.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8151.6797453704
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini (file missing)
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 04 February 2005 - 10:52 PM

Hello Stu,
Let's start by running some scans and seeing what they come up with. They should take out some of the malware.

***************************************************

Please download, update and run (one at a time of course!)
Spybot 1.3 and Adaware SE

Fix whatever they suggest.

***************************************************

If you need help running these tools, here are some helpful tutorials.
Spybot 1.3 Tutorial
Adaware SE Tutorial


***************************************************

Be sure to run Adaware SE with a Full Scan in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



The following explains how to set Ad-aware's settings to perform a "Full Scan."

In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:
Scan within archives
Under Memory & Registry, Check EVERYTHING
In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level.

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:
Unload recognized processes during scanning
Include info about ignored objects in logfile, if detected in scan
Include basic Ad-aware settings in logfile
Include additional Ad-aware settings in logfile
Include used command line parameters in logfile

In Cleaning Engine:
XP/2000: Allow unloading explorer to unload shell extensions prior to deletion
Let Windows remove files in use at next reboot
UNCHECK: Automatically try to unregister objects prior to deletion

Click Proceed to save these settings. When you would like to perform a "Full Scan," switch the scan mode from SmartScan to Custom.



***************************************************


Please download, update and run the free A2 (A squared) anti-trojan

Let it fix whatever it wants to.

***************************************************


I know you may have anti-virus software, but sometimes its definitions are corrupted due to malware. Online scans are the best resort in this case.
Run this pc through the Panda Scan Online virus scanner
or Trend Micro Housecall Online virus scanner


***************************************************

Your version of Hijackthis is outdated. The newest version of HijackThis is 1.99. Download the latest version of Hijackthis

Be sure to Hijackthis in its own folder, not in a temp folder. Here is how you make a Hijackthis folder:

Click My Computer, then
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis". Now you have C:\HJT\ folder. Put your HijackThis.exe there, and double click to run it.

Next, reboot and post a fresh HijackThis log to this thread.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 10:47 AM

Sorry it has taken so long. Below is the latest Hijackthis log after performing all of the steps. I still can't seem to get my virus software up and running. I have even tried to reinstall it and when I launch the installer I get the error message that it can't find the shell.dll???

Here is the log

Logfile of HijackThis v1.99.0
Scan saved at 9:43:06 AM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\Program Files\Spyware Doctor\swdoctor.exe /Q
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107794960484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {B64527EA-2004-49C5-87E6-6151766434E1} - systemie.dll (file missing)
O21 - SSODL: systemp - {87DFCAE8-5FD1-4EDB-A99B-E1F801A5D1D2} - systemp.dll (file missing)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 08 February 2005 - 11:56 AM

I still can't seem to get my virus software up and running.


If you run both the online virus scans they will take out most of the viruses on you system. The problem with the virus software may solve itself when we have your system clean.

Did you run the A2 trojan scan as I asked you? I do not see it listed in your Hijackthis log. :thumbsup:

****************************************************
You have a suspicious file we need to check. Go to
Jotti's malware scan press the Browse button, and find C:\WINDOWS\dnscleaner.exe, then upload and scan it. Let me know the results. Copy and paste the output to this thread.

****************************************************

Please post the logs from your Adaware SE and Spybot 1.3 last scan, as I need to check the running processes.

You can get the log by opening Spybot 1.3> select Mode> Advanced > Tools> View Report> copy and paste the report to your reply.

The fastest way to get the Adaware SE log is to navigate to your Ad-aware SE folder: C:\Documents and Settings\USER NAME\Application Data\Lavasoft\Ad-Aware\Logs.

Open this folder and find the correct log.
The logs are named "Ad-Aware-log ##-##-##.txt (the #'s will be the date of the scan). Highlight all of the text in the logfile with your mouse.
On your keyboard, press Ctrl + C, which will copy the text to your clipboard.
Now be online, logged in and ready to post your logfile.
Press Ctl and V and that will copy your logfile to the post!

Edited by SifuMike, 08 February 2005 - 01:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 02:28 PM

I ran everything again and here are the logs. I ran both online virus scans and it seemed to take care of everything but a few items. There were some that could not be cleaned or deleted. Attached is the new Hijack log, Spybot Log and Ad aware SE logs.

Logfile of HijackThis v1.99.0
Scan saved at 1:20:52 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\Program Files\Spyware Doctor\swdoctor.exe /Q
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.../v6/brix6ie.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1107794960484
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {B64527EA-2004-49C5-87E6-6151766434E1} - systemie.dll (file missing)
O21 - SSODL: systemp - {87DFCAE8-5FD1-4EDB-A99B-E1F801A5D1D2} - systemp.dll (file missing)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Spybot Log


Incident Status Location

Virus:Trj/Narod.B Disinfected Operating system
Virus:Trojan Horse.AP Disinfected C:\bitmap.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\139359.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\164906.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\216601296.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\218999593.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\219025031.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\32904328.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\32963968.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\32999406.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Dusti\Local Settings\Temp\81171.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1111671.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1173859.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1260125.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1266468.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\134312.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1365687.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1395500.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\167765.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1721093.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\176406.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\1776406.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\186312.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\219734.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\245953.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\246062.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\513562.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\535578.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\718093.tmp
Virus:Trj/Krepper.A Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\860453.tmp
Virus:Trj/Downloader.FI Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\msgA.tmp10847581244169.exe
Virus:Trj/Downloader.FI Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\msgB.tmp10860207930748.exe
Virus:Trj/Downloader.FI Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\msgF.tmp10837084870545.exe
Virus:Trojan Horse.AP Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\stop.ifp0srdjsewuyj.exe
Virus:Trj/Legmir.D Disinfected C:\Documents and Settings\Rodney\Local Settings\Temp\xdlrccc.exe
Virus:Trj/Narod.B Disinfected C:\nnctl.exe
Virus:Trj/Narod.B Disinfected C:\ppdtl.exe
Virus:Trj/Downloader.ABJ Disinfected C:\WINDOWS\38mbuifc05.exe
Virus:Trj/StartPage.F Disinfected C:\WINDOWS\fntldr.exe
Virus:Trojan Horse Disinfected C:\WINDOWS\hh.htt
Virus:Trj/Regger.B Disinfected C:\WINDOWS\SYSTEM32\961031.exe
Virus:W32/Sdbot.AOT.worm Disinfected C:\WINDOWS\SYSTEM32\bling.exe
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\o
Virus:Trj/Narod.B Disinfected C:\WINDOWS\SYSTEM32\sief.dat
Virus:Trj/Narod.B Disinfected C:\WINDOWS\SYSTEM32\sp.dat
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\sysie.dll
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\sysp.dll
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\systemie.dll
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\systemie.exe
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\systemp.dll
Virus:Trj/Narod.B Renamed C:\WINDOWS\SYSTEM32\systemp.exe
Adaware SE
Ad-Aware SE Build 1.05
Logfile Created on:Tuesday, February 08, 2005 9:27:41 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R27 05.02.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:8):15 total references
Alexa(TAC index:5):3 total references
begin2search(TAC index:3):51 total references
BookedSpace(TAC index:10):5 total references
ClickSpring(TAC index:6):1 total references
CoolWebSearch(TAC index:10):18 total references
DownloadPlus(TAC index:5):1 total references
DyFuCA(TAC index:3):7 total references
Ebates MoneyMaker(TAC index:4):1 total references
istbar(TAC index:6):1 total references
MRU List(TAC index:0):9 total references
Other(TAC index:5):2 total references
TopMoxie(TAC index:3):4 total references
Tracking Cookie(TAC index:3):2 total references
Win32.Trojan.ByteVerify.A(TAC index:8):9 total references
VX2(TAC index:10):5 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R27 05.02.2005
Internal build : 32
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 410347 Bytes
Total size : 1296130 Bytes
Signature data size : 1266439 Bytes
Reference data size : 29179 Bytes
Signatures total : 36032
Fingerprints total : 616
Fingerprints size : 23320 Bytes
Target categories : 15
Target families : 631


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:69 %
Total physical memory:260592 kb
Available physical memory:179224 kb
Total page file size:640936 kb
Available on page file:588728 kb
Total virtual memory:2097024 kb
Available virtual memory:2050692 kb
OS:Microsoft Windows XP Home Edition Service Pack 1 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


2-8-2005 9:27:41 AM - Scan started. (Custom mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 156
ThreadCreationTime : 2-8-2005 3:26:12 PM
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 204
ThreadCreationTime : 2-8-2005 3:26:24 PM
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 228
ThreadCreationTime : 2-8-2005 3:26:26 PM
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 272
ThreadCreationTime : 2-8-2005 3:26:30 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 284
ThreadCreationTime : 2-8-2005 3:26:31 PM
BasePriority : Normal
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 448
ThreadCreationTime : 2-8-2005 3:26:33 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 472
ThreadCreationTime : 2-8-2005 3:26:34 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 696
ThreadCreationTime : 2-8-2005 3:26:48 PM
BasePriority : Normal
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:9 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 788
ThreadCreationTime : 2-8-2005 3:27:04 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.ohb.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.ohb.1
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.ohb

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.ohb
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.momo.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.momo.1
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.momo

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.momo
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.iiittt.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.iiittt.1
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.iiittt

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.iiittt
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.dbi.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.dbi.1
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.amo.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.amo.1
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.amo

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.amo
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{081de2f6-927b-4aa9-88c1-f531c9387383}

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{7c5e5671-7a1d-4ae8-91f0-496adf2825f7}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{7c5e5671-7a1d-4ae8-91f0-496adf2825f7}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{09c14745-90fd-42d1-9276-4924d7dbc274}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{09c14745-90fd-42d1-9276-4924d7dbc274}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{07e9cdf4-20d2-46b1-b681-663968f527ce}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{07e9cdf4-20d2-46b1-b681-663968f527ce}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a797a41d-f9f0-4a32-b9b5-af927cb5ae54}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{a797a41d-f9f0-4a32-b9b5-af927cb5ae54}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{17973bd7-959c-4d8a-8b2f-ab200e20a75e}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{17973bd7-959c-4d8a-8b2f-ab200e20a75e}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{bf7cb2c3-55b6-44c1-9615-920d004c27f7}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{bf7cb2c3-55b6-44c1-9615-920d004c27f7}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f912c325-5b26-4ad6-bf39-84370833e972}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{f912c325-5b26-4ad6-bf39-84370833e972}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.dbi

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : winb2s.dbi
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b12508ad-ca55-4238-8db3-55808ba6915a}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{b12508ad-ca55-4238-8db3-55808ba6915a}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6fe4aadf-edac-4037-9164-0b60179a4f12}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{6fe4aadf-edac-4037-9164-0b60179a4f12}
Value :

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data4

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data3

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data1

CoolWebSearch Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\cassandra
Value : data2

CoolWebSearch Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\melcosoft

Win32.Trojan.ByteVerify.A Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{5f10319b-c8d4-4e49-a30c-c0e8cee611d7}

Win32.Trojan.ByteVerify.A Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{5f10319b-c8d4-4e49-a30c-c0e8cee611d7}
Value :

Win32.Trojan.ByteVerify.A Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : syscom.dloader

Win32.Trojan.ByteVerify.A Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : syscom.dloader
Value :

Win32.Trojan.ByteVerify.A Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{22b3b001-82cb-4977-96e2-d55cebadce38}

Win32.Trojan.ByteVerify.A Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{22b3b001-82cb-4977-96e2-d55cebadce38}
Value :

Win32.Trojan.ByteVerify.A Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{59e961b9-9acf-44fc-9bf5-003470cc2534}

Win32.Trojan.ByteVerify.A Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : syscom.dloader.1

Win32.Trojan.ByteVerify.A Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : syscom.dloader.1
Value :

180Solutions Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "partner_id"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\sais
Value : partner_id

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Alexa Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1316554795-2773606206-3513047223-500\software\microsoft\internet explorer\extensions\cmdmapping
Value : {c95fe080-8f5d-11d2-a20b-00aa003c157a}

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 59
Objects found so far: 59


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 59

MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\mmradio
Description : information on the last station listened to using musicmatch radio


MRU List Object Recognized!
Location: : software\musicmatch\musicmatch jukebox\4.0\fileconv
Description : file conversion location settings in musicmatch jukebox


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1316554795-2773606206-3513047223-500\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : C:\Documents and Settings\Administrator\recent
Description : list of recently opened documents



Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 68



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_4[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Dusti\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\



DownloadPlus Object Recognized!
Type : File
Data : DownloadPlus.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Application Data\
FileVersion : 1.0.6
ProductVersion : 1.0.6
ProductName : DownloadPlus
CompanyName : Porn Kings
FileDescription : DownloadPlus
InternalName : DownloadPlus.exe
LegalCopyright : © Porn Kings. All rights reserved.
OriginalFilename : DownloadPlus.exe
Comments : FOFFSET=0;AFFILIATE_ID=806346


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rodney@inet-traffic[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Rodney\Cookies\rodney@inet-traffic[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : rodney@tickle[2].txt
Category : Data Miner
Comment :
Value : C:\Documents and Settings\Rodney\Cookies\rodney@tickle[2].txt

TopMoxie Object Recognized!
Type : File
Data : djtopr1150.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\



istbar Object Recognized!
Type : File
Data : iinstall.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\



TopMoxie Object Recognized!
Type : File
Data : jkill.exe
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\



DyFuCA Object Recognized!
Type : File
Data : optimize.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\



ClickSpring Object Recognized!
Type : File
Data : MediaTicketsInstaller[1].cab
Category : Data Miner
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\Temporary Internet Files\Content.IE5\9JUPOGPM\



CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_2[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\Temporary Internet Files\Content.IE5\IYMX0486\



DyFuCA Object Recognized!
Type : File
Data : optimize[1].exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\Temporary Internet Files\Content.IE5\YXGH876R\



BookedSpace Object Recognized!
Type : File
Data : polall1m.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\THI5660.tmp\



VX2 Object Recognized!
Type : File
Data : twaintec.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\THI5660.tmp\
FileVersion : 0, 1, 4, 35
ProductVersion : 0, 1, 4, 35
ProductName : twaintec
CompanyName : Twaintec
FileDescription : www.twain-tech.com
InternalName : twaintec
LegalCopyright : Copyright © 2003
OriginalFilename : twaintec.dll
Comments : www.Twain-Tech.com


BookedSpace Object Recognized!
Type : File
Data : polall1m.exe
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\THI5C8D.tmp\



VX2 Object Recognized!
Type : File
Data : twaintec.dll
Category : Malware
Comment :
Object : C:\Documents and Settings\Rodney\Local Settings\Temp\THI5C8D.tmp\
FileVersion : 0, 1, 4, 35
ProductVersion : 0, 1, 4, 35
ProductName : twaintec
CompanyName : Twaintec
FileDescription : www.twain-tech.com
InternalName : twaintec
LegalCopyright : Copyright © 2003
OriginalFilename : twaintec.dll
Comments : www.Twain-Tech.com


Ebates MoneyMaker Object Recognized!
Type : File
Data : 1150_1.dat
Category : Data Miner
Comment :
Object : C:\Program Files\Web_Rebates\Sy1150\Sy1150\



CoolWebSearch Object Recognized!
Type : File
Data : k3oi7818cl.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_2.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_3.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



CoolWebSearch Object Recognized!
Type : File
Data : stop.00009_4.exe
Category : Malware
Comment :
Object : C:\WINDOWS\



DyFuCA Object Recognized!
Type : File
Data : commcoss.dll
Category : Malware
Comment :
Object : C:\WINDOWS\SYSTEM32\<

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 08 February 2005 - 02:37 PM

I ran both online virus scans and it seemed to take care of everything but a few items. There were some that could not be cleaned or deleted.


I need to know the locations of the files that could not be cleaned or delete, so we can delete them.

You have some suspicious files we need to check. Go to
Jotti's malware scan press the Browse button, and find C:\WINDOWS\dnscleaner.exe, then upload and scan it. Let me know the results. Copy and paste the output to this thread.


Also do the same for C:\WINDOWS\system32\winlogon.exe

Edited by SifuMike, 08 February 2005 - 02:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 03:11 PM

I will run the two items you discussed below. I did make note of the locations of the files that were not being able to be cleaned. They were as follows:

C:\Windows\system32\sysie.dll
C:\Windows\system32\sysp.dll
C:\Windows\system32\systemie.dll
C:\Windows\system32\systemie.exe
C:\Windows\system32\systemp.dll
C:\Windows\system32\systemp.exe

I will post the others shortly.

#8 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 03:19 PM

Jotti's malware scan 2.42

File to upload & scan:
Powered by:


By uploading files to this online service you agree that your files will be stored locally for personal virus collection interests.

Furthermore: this service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, I cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, I am aware of the implications of a setup like this. I am sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). I am aware, in spite of efforts to proactively counter these, false positives might occur, for example. I do not consider this a very big issue, so please do not e-mail me about it. This is a simple online scan service, not the university of Wichita (however, manual correction is performed on a regular basis). Although I try to keep these results as accurate as humanly possible, the only viable conclusion to be drawn here: "100% protection" is a myth.

Scanning can take quite a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

This service costs me money. Server hardware, undonated scanner licenses, (backup) power etc... If you feel this service is useful, please consider a (small) donation so I can keep the service level up!

Server hardware sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy bleeperson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, and some people who prefer to remain anonymous... many thanks to all!

Service load: 0% 100%

File: winlogon.exe
Status: OK
Packers detected: None

AntiVir No viruses found (0.46 seconds taken)
Avast No viruses found (4.67 seconds taken)
AVG Antivirus No viruses found (4.19 seconds taken)
BitDefender No viruses found (3.39 seconds taken)
ClamAV No viruses found (4.17 seconds taken)
Dr.Web No viruses found (3.64 seconds taken)
F-Prot Antivirus No viruses found (0.12 seconds taken)
Fortinet No viruses found (1.15 seconds taken)
Kaspersky Anti-Virus No viruses found (1.56 seconds taken)
mks_vir No viruses found (0.69 seconds taken)
NOD32 No viruses found (1.53 seconds taken)
Norman Virus Control No viruses found (3.87 seconds taken)

Service load: 0% 100%

File: dnscleaner.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT

AntiVir No viruses found (0.21 seconds taken)
Avast No viruses found (1.61 seconds taken)
AVG Antivirus No viruses found (2.38 seconds taken)
BitDefender No viruses found (2.13 seconds taken)
ClamAV No viruses found (1.05 seconds taken)
Dr.Web No viruses found (1.79 seconds taken)
F-Prot Antivirus No viruses found (0.09 seconds taken)
Fortinet No viruses found (0.40 seconds taken)
Kaspersky Anti-Virus No viruses found (0.59 seconds taken)
mks_vir No viruses found (0.20 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (0.37 seconds taken)
Norman Virus Control No viruses found (0.63 seconds taken)

#9 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 08 February 2005 - 03:38 PM

Hello Stu,

You have some nasty malware on your computer. :thumbsup: Not to worry, we will soon have it off. :flowers:

****************************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key.



Please boot into Safe Mode, go to HijackThis->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each.
C:\WINDOWS\System32\tibs3.exe

****************************************************

While in the Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

Did you want these web sites that the RO and R1 sites are pointing to? If not, then fix them
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yoursearch247.com/se.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.yoursearch247.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://letgohome.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


R3 - Default URLSearchHook is missing
F1 - win.ini: run=fntldr.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)


If you did not install dsncleaner, then Fix it
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe

O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - Global Startup: winlogin.exe
O19 - User stylesheet: (file missing)
O21 - SSODL: systemie - {B64527EA-2004-49C5-87E6-6151766434E1} - systemie.dll (file missing)
O21 - SSODL: systemp - {87DFCAE8-5FD1-4EDB-A99B-E1F801A5D1D2} - systemp.dll (file missing)


****************************************************


Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders' and deselect (uncheck) 'hide protected operating system files (recommended)'.

Find and delete each of the following. If you can't delete an item, right-click it and click properties. Make sure 'read-only' is unchecked.
If you still can't delete something, right-click it and rename it to a random word. Then drag the item to a different location. Try deleting it now. If you still can't, be sure to let me know.

Delete the following files/folders in bold:
If you did not install dsncleaner, then delete it.
C:\WINDOWS\dnscleaner.exe <==file
C:\WINDOWS\System32\tibs3.exe <==file
winlogin.exe <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\WINDOWS\
systemp.dll <==file You will have to search for this file. It may be in C:\WINDOWS\system32\ or C:\WINDOWS\

****************************************************

Let empty the temp files:

Download CCleaner from http://www.ccleaner.com/ and install it. (default location is best).
Select the Windows Tab, Run CCleaner ,(click Run Cleaner (bottom right) then, when it finishes scanning click Exit.)
When you see "Complete" on the top line, it's done. It's very fast.

****************************************************

Reboot and post a new Hijackthis log, and tell me how your computer is running.

Finally, run the two virus scans again and see if those uncleanable and undeletable files are gone.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 04:45 PM

I booted in safe mode and went to the Hijackthis config>misc tools and opened the processes and do not see one called C:\Windows\System32\tibs.exe

I also ran Hijackthis and looked on the log and don't see some of the entries that you advised me to fix.

Any suggestions?

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 08 February 2005 - 04:53 PM

Try running Hijackthis in the Normal Mode to see if you see the items I said to fix.

If you do not see all the item to fix or delete, just fix the ones I have listed that you can see.

Then reboot and submit a new Hijackthis log and we will see what is left.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 05:24 PM

Ok I think we hit a bump in the road. I renamed the winlogin.exe file and moved it to another location and it would still not allow me to delete it. Once I finished up everything and rebooted, it now won't start up and just keeps rebooting and never makes it to the logon screen.

#13 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 05:31 PM

I must have renamed the winlogon.exe and not the malicious one winlogin.exe. Any thing to fix this or is it time to re-install? That's the only thing I can think of.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:49 AM

Posted 08 February 2005 - 06:13 PM

I must have renamed the winlogon.exe and not the malicious one winlogin.exe. Any thing to fix this or is it time to re-install? That's the only thing I can think of


Well, if you cannot get on your system, then you cannot change the file. :thumbsup:
Do you have a Dell computer? And do you have the Reinstallion CD for MS Home Edition? If so, then you can reload (install) XP without losing anything.
But do not do this yourself, as it is complex.

Edited by SifuMike, 08 February 2005 - 06:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 stu

stu
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:10:49 AM

Posted 08 February 2005 - 06:25 PM

Yes I have a Dell computer and Yes I have the disk. I am not sure that I changed the wrong file. Is is possible since I deleted or stopped some of the virus stuff that on the reboot it locked my pc down?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users