Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

some trojans infection


  • Please log in to reply
5 replies to this topic

#1 wumuz

wumuz

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 06 May 2005 - 08:25 AM

Hello,

My name is Tomas, I come from Slovakia and I am new to this forum, so this is the first topic (question) I have ever sent to You.

I use Internet only for two weeks and I already had the chance to be introduced to some viruses, because I have this propram Spybot installed in my computer and it found some viruses on my drive. Then all of a sudden my desktop got all blue with a note that there is a certain Trojan bluescreen.creator, also I found some new processes running in my computer such as wp.exe and cmd32.exe and some other stuff, when I open a new window in internet explorer there is still some crazy search page and in the above dialog there is also the address about.blank!

After visiting some forums I have now downloaded the program HijackThis.exe and I have let it scan the C-drive, and now I am sending You the result of this test. I have also installed the antivirus program called BitDefender and now I also send You the results of its scan.

HijackThis Scan results:

Logfile of HijackThis v1.99.1
Scan saved at 12:55:11, on 6.5.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\CMD32.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\BIN\ECHOCTRL.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\VSSERV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDOESRV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SOFTWIN\BITDEFENDER8\BDMCON.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Prepojenia
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {77E57021-BCE8-11D9-AC5A-4445AFBBD705} - C:\WINDOWS\SYSTEM\DBACO.DLL
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\DREXINIT.DLL
O3 - Toolbar: &R墂io - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InteliSys] C:\WINDOWS\SMSS.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender8\\bdinit.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {787E06A0-BCE8-11D9-AC5A-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {787E06A0-BCE8-11D9-AC5A-444553540000} - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {77E57020-BCE8-11D9-AC5A-4445C0F7729E} - C:\WINDOWS\SYSTEM\DBACO.DLL
O18 - Filter: text/plain - {77E57020-BCE8-11D9-AC5A-4445C0F7729E} - C:\WINDOWS\SYSTEM\DBACO.DLL


The results of the BitDefender Scan:


//-----------------------------------------------------------------
//
// Product: BitDefender 8 Professional Plus
// Version: (no ver)
//
// Created on: 06/05/2005 11:59:51
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 383
Files : 19269
Archives : 398
Packed files : 615
Identified viruses : 2
Infected files : 2
Warnings : 0
Suspect files : 6
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 8
Renamed files : 0
I/O errors : 4
Scan time : 00:12:04
Scan speed (files/sec) : 26

Virus definitions : 91871
Scan plugins : 12
Archive plugins : 37
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: vscan.log
[ ] Append to existing report

Summary:

C:\WINDOWS\SYSTEM\cmd32.exe Suspect Trojan.Downloader
C:\WINDOWS\SYSTEM\cmd32.exe Disinfection failed
C:\WINDOWS\SYSTEM\cmd32.exe Moved
C:\WINDOWS\SYSTEM\us3432xzcb.exe Suspect Trojan.StartPage
C:\WINDOWS\SYSTEM\us3432xzcb.exe Disinfection failed
C:\WINDOWS\SYSTEM\us3432xzcb.exe Moved
C:\WINDOWS\SYSTEM\lpzxczxct.exe Suspect Trojan.Downloader
C:\WINDOWS\SYSTEM\lpzxczxct.exe Disinfection failed
C:\WINDOWS\SYSTEM\lpzxczxct.exe Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\PLAKIUNK\a1[1].html Suspect HTML.MediaTickets.A
C:\WINDOWS\Temporary Internet Files\Content.IE5\PLAKIUNK\a1[1].html Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\PLAKIUNK\a1[1].html Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\BGXIZTM7\125777[1].exe=>(Upx) Infected Trojan.PornDialer.BP
C:\WINDOWS\Temporary Internet Files\Content.IE5\BGXIZTM7\125777[1].exe=>(Upx) Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\BGXIZTM7\125777[1].exe Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\1[1].exe Suspect Trojan.Downloader
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\1[1].exe Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\1[1].exe Moved
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\PopularScreenSaversFWBInitialSetup1.0.0.8-2[1].exe Infected Trojan.Dropper.FunWeb.A
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\PopularScreenSaversFWBInitialSetup1.0.0.8-2[1].exe Disinfection failed
C:\WINDOWS\Temporary Internet Files\Content.IE5\WLCN6LGX\PopularScreenSaversFWBInitialSetup1.0.0.8-2[1].exe Moved
C:\WINDOWS\loadclean.exe Suspect Trojan.Downloader
C:\WINDOWS\loadclean.exe Disinfection failed
C:\WINDOWS\loadclean.exe Moved

Scanned files

I would really appreciate if You could give me some advice what I should do to try to remove all these viruses if it is still possible...

I thank You very much for Your help.

Tomas (wumuz)
email: macko22@seznam.cz
Slovakia

BC AdBot (Login to Remove)

 


#2 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 AM

Posted 07 May 2005 - 12:55 PM

Hello wumuz and Welcome! :thumbsup:
Sorry you're having malware trouble.

Download: "StartDreck", from here

Unzip it to its own folder, name the folder Startdreck and double-click on StartDreck.exe to start the program.

Press Config
Press Unmark All

Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press Ok

Press Save and select the location to save the log file
(default is the same folder as the application)

Post the StartDreck log in this thread for review.

#3 wumuz

wumuz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 08 May 2005 - 04:29 PM

Hello SirJon,

Thank You very much for Your interrest to help me with this malware problem. I have simply followed the instruction steps You wrote and now I am sending You the scan file made by StartDreck in my computer. Here it is:

StartDreck (build 2.1.7 public stable) - 2005-05-08 @ 23:01:38 (GMT +02:00)
Platform: Windows 98 SE (Win 4.10.2222 A)
Internet Explorer: 5.00.2614.3500
Logged in as PC at PC

舞egistry
舞un Keys
翟urrent User
舞un
舞unOnce
聞efault User
舞un
舞unOnce
腿ocal Machine
舞un
*Matrox Control Center=C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
*Matrox Color Control=C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
*Matrox Diagnostic=C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
*IrMon=IrMon.exe
*ControlPanel=C:\WINDOWS\SYSTEM\cmd32.exe internat.dll,LoadKeyboardProfile
*C-Media Echo Control=C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
*C-Media Mixer=Mixer.exe /startup
*SystemTray=SysTray.Exe
*InteliSys=C:\WINDOWS\SMSS.exe
舞unOnce
舞unServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*BitDefender Communicator=C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
*BitDefender Scan Server=C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
*BitDefender Live! Init=C:\Program Files\Softwin\BitDefender8\\bdinit.exe
舞unServicesOnce
舞unOnceEx
舞unServicesOnceEx
肇iles
艋ystem/Drivers
舞unning Processes
+FF0F498F=C:\WINDOWS\SYSTEM\KERNEL32.DLL
+FFFF9D17=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
+FFFF8AE7=C:\WINDOWS\SYSTEM\MPREXE.EXE
+FFFFB2A7=C:\WINDOWS\SYSTEM\mmtask.tsk
+FFFE18DB=C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
+FFFE1413=C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
+FFFE7123=C:\WINDOWS\EXPLORER.EXE
+FFFE8DAF=C:\PROGRAM FILES\MATROX MGA POWERDESK\MGACTRL.EXE
+FFFE8723=C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
+FFFEA1F7=C:\WINDOWS\SYSTEM\IRMON.EXE
+FFFEA08F=C:\WINDOWS\SYSTEM\CMD32.EXE
+FFFEF653=C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\BIN\ECHOCTRL.EXE
+FFFEE3C3=C:\WINDOWS\MIXER.EXE
+FFFD06C3=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
+FFFD7477=C:\WINDOWS\SYSTEM\DDHELP.EXE
+FFFEB0DF=C:\WINDOWS\SYSTEM\RNAAPP.EXE
+FFFD474B=C:\WINDOWS\SYSTEM\TAPISRV.EXE
+FFFD8397=C:\WINDOWS\SYSTEM\WMIEXE.EXE
+FFFCC8D3=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
+FFFCABF7=C:\WINDOWS\PRACOVN PLOCHA\STARTDRECK\STARTDRECK.EXE
翠pplication specific


I would really appreciate Your help, I think it is a great think, that You are spending Your worthful time helping me. I am waiting for Your reply.
Thank You very much.

Tomas (wumuz)
Macko22@seznam.cz

#4 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 AM

Posted 08 May 2005 - 05:18 PM

Thank you for posting the StartDreck log.
I don't see any rogue hidden files.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.

Please enable all hidden files and folders in Windows. For instructions click here

Please download CWShredder™ Version 2.1 here. Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

Download and install the latest version of Ad-Aware SE (Ad-Aware SE Build 1.05) here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE
Please configure the program by following these instructions here. Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

Download the eScan Antivirus Toolkit here. Save it to the desktop. This program is 9.9MB in size.
Don't run it yet, we will use it later.

Please reboot into Safe Mode.
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\TEMP\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\WINDOWS\TEMP\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Prepojenia
O2 - BHO: (no name) - {77E57021-BCE8-11D9-AC5A-4445AFBBD705} - C:\WINDOWS\SYSTEM\DBACO.DLL
O2 - BHO: (no name) - {A0269420-A638-4509-889C-8FC3CC85DA7E} - C:\WINDOWS\DREXINIT.DLL
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {787E06A0-BCE8-11D9-AC5A-444553540000} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {787E06A0-BCE8-11D9-AC5A-444553540000} - (no file) (HKCU)
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O18 - Filter: text/html - {77E57020-BCE8-11D9-AC5A-4445C0F7729E} - C:\WINDOWS\SYSTEM\DBACO.DLL
O18 - Filter: text/plain - {77E57020-BCE8-11D9-AC5A-4445C0F7729E} - C:\WINDOWS\SYSTEM\DBACO.DLL


From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

Copy the contents of the Quote Box below to Notepad. Name the file as cwsfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/html]

[-HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]

Now double-click on the cwsfix.reg file and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.

From Safe Mode, please delete the following files and/or folders:
Go to Start, Find, For Files or Folders, and type in each file or folder name.

C:\WINDOWS\SYSTEM\CMD32.EXE <----Delete this file.
C:\WINDOWS\SYSTEM\DBACO.DLL <----Delete this file.

Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.

Edited by SirJon, 08 May 2005 - 05:19 PM.


#5 wumuz

wumuz
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 10 May 2005 - 03:16 PM

Hello SirJon,

First of all I would like to thank You for all You have done for me until now. I followed all the instructions You gave me and there is also a significant change to see in my computer.

There is only one problem remaining, or rather the only one I can notice at this moment. When I click with the right mouse button at the desktop and I choose properties, there are only three possible boxes to select, and not the standard six (for example the box to set the wallpaper is not available and some other two also not). This has probably been caused by the malware viruses the computer was infected by, and maybe it is not possible to bring it to the standard status without reinstalling the whole windows-98. But maybe You have some other (more simple) suggestion how to succeed in this purpose. Anyway it seems that the virus-problems have been solved, but naturally I am sending You the current HijackThis scan report to be secure.

There is a big thank I would like to express to You for all Your help.

HijackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:10, on 10.5.2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER COMMUNICATOR\XCOMMSVR.EXE
C:\PROGRAM FILES\COMMON FILES\SOFTWIN\BITDEFENDER SCAN SERVER\BDSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\MGACTRL.EXE
C:\PROGRAM FILES\MATROX MGA POWERDESK\COLOR\HGCCTL95.EXE
C:\PROGRAM FILES\PCI AUDIO APPLICATIONS\BIN\ECHOCTRL.EXE
C:\WINDOWS\MIXER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &R墂io - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [Matrox Control Center] C:\Program Files\Matrox MGA PowerDesk\mgactrl.exe
O4 - HKLM\..\Run: [Matrox Color Control] C:\Program Files\Matrox MGA PowerDesk\Color\hgcctl95.exe
O4 - HKLM\..\Run: [Matrox Diagnostic] C:\Program Files\Matrox MGA PowerDesk\diag\mgadiag.exe -s
O4 - HKLM\..\Run: [C-Media Echo Control] C:\Program Files\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [BitDefender Communicator] C:\Program Files\Common Files\Softwin\BitDefender Communicator\\xcommsvr.exe
O4 - HKLM\..\RunServices: [BitDefender Scan Server] C:\Program Files\Common Files\Softwin\BitDefender Scan Server\\bdss.exe
O4 - HKLM\..\RunServices: [BitDefender Live! Init] C:\Program Files\Softwin\BitDefender8\\bdinit.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=


Thanks for all!!!
Tomas Sedliacik (wumuz)
macko22@seznam.cz

#6 SirJon

SirJon

    Malware Prevention


  • Malware Response Team
  • 230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:14 AM

Posted 10 May 2005 - 05:14 PM

Hello Tomas,
Please reboot into Safe Mode. For instructions click here

From Safe Mode, please close ALL open windows AND browsers, open HijackThis and put checks next to all the following, then click "Fix Checked":

O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=


From Safe Mode, please delete the following files and/or folders:
Go to Start, Find, For Files or Folders, and type in each file or folder name.
Look in the C:\drive

wp.exe <----Delete this file. (If found)
wp.bmp<----Delete this file. (If found)
wldr.dll <----Delete this file. (If found)

Copy the contents of the Quote Box below to Notepad. Name the file as smitfraudfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"NoDispAppearancePage"=-
"Wallpaper"=-
"WallpaperStyle"=-
"NoDispBackgroundPage"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Control Panel\Colors]
"Background"="0 78 152"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-
"paint.exe"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000

[-HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF}]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage]

[-HKEY_CLASSES_ROOT\CLSID\VMHomepage.1]

[-HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}]

[-HKEY_CLASSES_ROOT\VMHomepage]

[-HKEY_CLASSES_ROOT\VMHomepage.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HTTP\Parameters\S]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\r]


Now double-click on the smitfraudfix.reg file and when it prompts to merge, say Yes. This will clear some registry entries left behind by the malware infections.

Now reboot the PC back into Normal Mode (Windows), open HijackThis, click "Do a system scan and save a logfile", copy and paste the contents of the new logfile here for review.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users