Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ataamon.dll


  • This topic is locked This topic is locked
22 replies to this topic

#1 heart

heart

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 25 April 2004 - 10:37 AM

this installed itself in my system 32 folder one week ago. there may be more like it but this is what i have found. I used Hijack This and disabled a bunch of things that were attaching themselves to IE when it ran. However this thing will not let me delete it. When i try to it says it is being used by another person or program and to close all programs that might be using it and try again. It also creates a copy of itself in system 32, i can delete that but it comes back. I believe Hijack This has disabled it but i'd like to delete it as well .

Also, here is my startup list. If anyone sees any more problems i should know about please tell me. PS: I never knew a site like this existed. WOW!!

StartupList report, 4/25/2004, 11:53:25 AM
StartupList version: 1.52
Started from : F:\Documents and Settings\heart\Desktop\StartupList.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
F:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
F:\Program Files\Trillian\trillian.exe
F:\Program Files\Serv-U\ServUAdmin.exe
F:\Program Files\Serv-U\ServUDaemon.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Messenger\msmsgs.exe
F:\Documents and Settings\heart\Desktop\StartupList.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = F:\WINDOWS\SYSTEM32\Userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ccApp = "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
GhostStartTrayApp = F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
ATIPTA = F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
Jet Detection = "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
QD FastAndSafe =
QuickTime Task = "F:\Program Files\QuickTime\qttask.exe" -atboottime
CloneCDTray = "F:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpySweeper = F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
MsnMsgr = "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
ctfmon.exe = F:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from F:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=F:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer.job
Norton SystemWorks One Button Checkup.job
Symantec Drmc.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Symantec AntiVirus scanner]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = F:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = F:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: F:\WINDOWS\system32\SHELL32.dll
CDBurn: F:\WINDOWS\system32\SHELL32.dll
WebCheck: F:\WINDOWS\System32\webcheck.dll
SysTray: F:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,126 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

BC AdBot (Login to Remove)

 


#2 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 25 April 2004 - 10:43 AM

Also here is my logfile. If there is anything here that shouldn't be please let me know. Thank you.

Logfile of HijackThis v1.97.7
Scan saved at 12:40:54 PM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
F:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
F:\Program Files\Trillian\trillian.exe
F:\Program Files\Serv-U\ServUDaemon.exe
F:\WINDOWS\system32\NOTEPAD.EXE
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
F:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Documents and Settings\heart\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smackcentral.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.smackcentral.net
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "F:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

#3 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:50 AM

Posted 25 April 2004 - 04:09 PM

Hi heart,
Your log looks good. Nothing malicious there unless I'm missing something.

ataamon.dll is not showing up in any malware databases or Google. And it's not in your startup or running processes. Could mean it's new malware or just an unknown file from some obscure program. Can you relate the presence of this file to a time when you added something, like a little-known game or other large application installation?

I suggest you go to this page and have the file scanned by Kaspersky Labs. They have the most up-to-date definitions & would know if it's been discovered. If they say it's malicious, boot into safe mode, navigate to the file(s) in question & delete them from there. If it's listed as suspicious, there is a link at the bottom of the page to submit the files to Kaspersky. Then, while in safe mode, rename the file(s) to "ataamon.old", boot back up into normal mode & test to see if you get any errors or if performance has been affected. Even if it's not termed suspicious I would suggest renaming this file anyway, you should be cautious about deleting files from the system 32 directory.

Let us know how it works out. If it still keeps coming back or you are still having problems with it we may need to investigate further.

Edit: I've been assuming that you have Windows set to show hidden files & folders--if this is not the case, before you follow any of my suggestions, please review the tutorial How to see hidden files in Windows. Also, if you have disabled anything in msconfig, start that app & under the general tab, take it out of "selective startup" & put it in "Normal". If you had it in selective & have to change it, scan again with HijackThis & post another log--just the logfile, the startup list is not necessary at this time.

The thing about people

is they change

when they walk away.--Mipso


#4 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 25 April 2004 - 10:05 PM

Hi PapaKid

I went to Kaparsky's page and scanned that file. It is not in that database and yes i do know how it got on my comp . At least HijackThis disabled it. It is a rundll file i think called UMonitor. because ever since HijackThis disabled it i get a rundll error when i access IE. It is adware or spyware and it is being missed by Spybot: Search and Destroy; Webroot SpySweeper and Ad-Aware 6. Also i cannot rename, move or delete this file . I can delete the copy but it always comes back.

heart

#5 Guest_MrSnausage_*

Guest_MrSnausage_*

  • Guests
  • OFFLINE
  •  

Posted 25 April 2004 - 10:21 PM

Have HijackThis restore the umonitor backup and then post a new log that contains the umonitor info so we can take a look.

#6 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 26 April 2004 - 02:25 PM

hey i must have deleted the backups of what i fixed. hence i don't think i can do that. the next time i get the rundll error i can send you what that says. anyhow the thing is being ignored and i am at least happy about that. i am trying not to have to throw a ghost i made after a windows reinstall recently because it is so much work and time to reinstall and set everything up. Kaperskys site asked me to send it to them but i cannot rename , edit , move, cut copy or paste it. I am not too too familiar with safe mod. am running winxppro.

heart PS thanks for your help

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 AM

Posted 26 April 2004 - 03:18 PM

Well if you know where the file is located can actually see it, but just not delete it, then you can try this.

Boot into safe mode using the link Papakid posted above. Once in safe mode find the file using Windows Explorer or My Computer. Try to delete it.

If you can not delete it, then right click on it and click on properties. At the bottom you should see an attributes section . If read-only is checked off, uncheck it and press Apply and then OK.

Then try to delete the file.

If it is not checked, try to rename it first. Click once on it to select it and then press the F2 key. Type in a new name. If that works. Then reboot and try to delete it after you reboot.

Let us know how it works out.

#8 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 27 April 2004 - 10:48 AM

Hi Grinler
For some reason in sys config i do not have a boot.ini file so i could not get into safe mode that way. i could not get into safe mode by tapping f8 either. i have no idea why not.

in sys config i also tried diagnostic startup but that just booted the reg start up. I have a promise pci ide card installed as well but it doesn't seem to matter when i start tapping still cannot access safe mod.

However when i used win98 i had no prob accessing safe mod and before i installed this pci card i had no problem. so now i have another problem that i have to do something about before i can get to renaming etc. that windows intruder file

#9 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 27 April 2004 - 11:00 AM

Here is my log file for normal start up. there are a lot of extra things here. and yes i am showing all hidden files and folders. Papakid this is what you suggested i do. I think there are a few problems here



Logfile of HijackThis v1.97.7
Scan saved at 12:57:53 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\WINDOWS\System32\CTHELPER.EXE
F:\Program Files\Winamp\Winampa.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
F:\Program Files\MSN Messenger\MsnMsgr.Exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
F:\Documents and Settings\heart\Desktop\HijackThis.exe
F:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
F:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smackcentral.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.smackcentral.net
F1 - win.ini: load=???
??? ???
?
F1 - win.ini: run=???
??? ???
?
??
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinampAgent] "F:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [UpdReg] F:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StorageGuard] "F:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QD FastAndSafe] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [Jet Detection] "F:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [hybidkp] F:\WINDOWS\hybidkp.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] F:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [CloneCDTray] "F:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Seca] F:\Documents and Settings\heart\Application Data\coor.exe
O4 - Global Startup: gwum.lnk = F:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\gwum.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

heart

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 AM

Posted 27 April 2004 - 11:27 AM

Fix these
F1 - win.ini: load=???
??? ???
?
? ?
F1 - win.ini: run=???
??? ???
?
? ?
O4 - HKLM\..\Run: [hybidkp] F:\WINDOWS\hybidkp.exe
O4 - HKCU\..\Run: [Seca] F:\Documents and Settings\heart\Application Data\coor.exe

Reboot and delete these (If you can zip them up and email them to submit-malware@bleepingcomputer.com that would be great):

F:\WINDOWS\hybidkp.exe
F:\Documents and Settings\heart\Application Data\coor.exe

Reboot and post a new hijackthis log

#11 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:50 AM

Posted 27 April 2004 - 01:06 PM

Hi heart,
Just a couple of notes that I hope you'll read before performing the fixes that Grinler has suggested.

First, you should be sure that no browser windows are open when you hit "Fix Checked". Probably a good idea not to have any other windows open. And double-check to make sure you have the right items checked.

It's not critical, but you should have HijackThis.exe in it's own folder before fixing anything. When you fix items with HT it makes backups & puts them in whatever folder HT is in. Since you have HT on the desktop, & the desktop is actually a special folder, the backups will be scattered all over your wallpaper. I'm guessing this is why you don't have the backups to your previous fixes--you deleted them to clean up your desktop. So for now just create a new folder on your desktop & move HT into it. You can move that folder to a more permanent location later if you want. Or if you've already done the fix, move those backups into the new folder.
:thumbsup:

The thing about people

is they change

when they walk away.--Mipso


#12 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:09:50 AM

Posted 27 April 2004 - 01:29 PM

ok Grinler, i did what you said and here is the new log file. i do not know what happened to hybidkp.exe but i have a backup of coor.exe and if i knew how to send it to you i would do that . i can attach it to a regular email but i don't have your address and it will not copy or paste into your email box that comes up on this page. and Papakid thanks for the tip i created a hijack this folder for backups

thanks
heart



Logfile of HijackThis v1.97.7
Scan saved at 3:25:03 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
F:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
F:\Documents and Settings\heart\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smackcentral.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.smackcentral.net
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google -

#13 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,675 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:50 AM

Posted 27 April 2004 - 01:48 PM

Is that the whole hijackthis log? Looks like we got cut off somewhere there.

What i see so far looks good. Dont worry about sending the files.

Do me a favor and repost the log again.

Thanks

#14 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 27 April 2004 - 02:24 PM

remember ataamon.dll? here it is norton found it but again i have to somehow get into safe mode to delete it.

http://securityresponse.symantec.com/avcen...re.look2me.html

and here is the logfile again:

Logfile of HijackThis v1.97.7
Scan saved at 4:24:29 PM, on 4/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\rundll32.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
F:\Program Files\Messenger\msmsgs.exe
F:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
F:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
F:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
F:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
F:\Program Files\Common Files\Symantec Shared\NMain.exe
F:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
F:\PROGRA~1\MOZILL~1\FIREFOX.EXE
F:\Program Files\Internet Explorer\IEXPLORE.EXE
F:\Documents and Settings\heart\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smackcentral.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.smackcentral.net
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] F:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [MSConfig] F:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SpySweeper] F:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "F:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://F:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://F:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://F:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://F:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Edited by heart, 27 April 2004 - 02:45 PM.


#15 heart

heart
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:50 AM

Posted 27 April 2004 - 02:43 PM

hello again. atm my biggest issue has become why i can't get this os into safe mode. as i said before, there is no boot.ini section in the sys. config box that i accessed thru msconfig. and all the tapping of f8 is not working either. If i can get into safe mode i will be able to rid my comp of this ataamon.dll and ataamoncpy.dll file in my windows system 32 folder because it is still messing with IE.

Edited by heart, 27 April 2004 - 02:43 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users