Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winse32.exe trojan


  • Please log in to reply
17 replies to this topic

#1 robjl3

robjl3

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 25 July 2005 - 07:47 PM

Hi there! I've never posted here but the site has been very helpful so far...

I'm trying to fix a computer with some stubborn problems, and internet access is extremely low (even though I'm on DSL so I've been working with two computers)

here is my log from Hijackthis...

I've tried almost everything... pls help!

Thx Rob


Logfile of HijackThis v1.99.1
Scan saved at 8:44:03 PM, on 25/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\grpmnt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\kernels32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Rob\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {AA30113B-75AD-4CC2-907F-30AA0D758A2F} - C:\WINDOWS\winys.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\1st Security Agent\newadmin.exe" saskda
O4 - HKLM\..\Run: [mfcjm32.exe] C:\WINDOWS\mfcjm32.exe
O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\Copy_of_MSConfig.exe /auto
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [System] wumgrd32.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rCabInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Malware Scanner_is1 - {DEC20716-CAA0-2A38-AE59-8A5F00B4A66C} - c:\program files\malwarescanner\wmfsyza32.dll
O21 - SSODL: LiveUpdate - {C2D9EEFC-AF32-1F57-FBD4-D83D8F5F1B78} - c:\program files\symantec\liveupdate\ykko32.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINDOWS\svchoct.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 25 July 2005 - 08:21 PM

Hello robjl3 and welcome to the BC malware forum. After reviewing your log I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download Cwshredder.exe and save it to a folder of its own. Start the program and click on the Check for Update button. If an update is available then download and install it. Close the program (do not run it yet).

Download and install ewido security suite. Update the program and then close it. Do not run it yet.

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #4

Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 25 July 2005 - 09:22 PM

Hi again,

Ewido cleaned over 250 infected items, but upon reboot in safe mode all I have is black screen with "safe mode" on all four corners... no task bar, no icons etc... Windows button on keyboard doesn't work, ctrl+Alt+Del works but no task manager...

Very Confusing

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 25 July 2005 - 10:45 PM

Hi robjl3. I'm not sure I understand. CWShredder and ewido should have been run in Safe Mode and then the computer should have been rebooted to normal mode, not Safe Mode.

Once those 2 programs have been run in Safe Mode, reboot normally and run a new HijackThis log and post it back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 25 July 2005 - 11:12 PM

sorry, my mistake, I ran Ewido and cwshredder in safe mode then I rebooted back into sfae mode and that's where I'm stuck... I've tried rebooting since in normal mode and same problem. I also rec'd an error during my user logon screen: "smc.exe -Application Error" click 'ok' to end program or press 'cancel' to debug...

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 26 July 2005 - 10:40 AM

Hi robjl3. Ok, let's see if I understand. When you boot normally you still do not have a taskbar? Also, what happens when you press ctrl-alt-del? Do you get a dialog box for TaskManager or just nothing?

One of the problems is probably due to the fact that this operating system has never been patched and is extremely out of date. Microsoft doesn't even support this version anymore and we will need to get the OS updated to Service Pack 2.

If you cannot get anything to work when you boot normally or in Safe Mode then let's try bootiing to the Last Known Good Configuration from the boot menu and see what that gives us. If we still cannot get a good boot then the infection has crippled enough of the system that we will need to do a repair install. We will talk about that later if necessary.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 26 July 2005 - 06:03 PM

Ok, I tried to reboot manually in safe mode through ctrl+Alt+Del and still no icons or taskbar(tried in several users as well).

Tried last known good config and still no good.

However I am able to run task manager through ctrl+alt+del and run new tasks but no internet connection... My cable internet runs fine on an uninfected com but when I try it on the infected computer the transfer rate is really slow.

Maybe if I run Hijackthis from the task manager I might be able to get a log copy...? Will this be of any help?

What about EWido or norton's...?

Perhaps I should try the install repair from disk, but my Win XP disk is different than the Win XP op sys on the infected com (you know different serial key), does this matter?

Thx so much for your help I hope I can fix this.

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 27 July 2005 - 07:40 AM

Hi robjl3. Use the Task Manager and start a new task to run HijackThis to produce a new log and post it back here. Also, download WinPFind.zip and unzip the contents to the C:\ folder. Copy the contents of the entire folder to a disk and take it to the problem computer.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the a:winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here so I can review it along with the HijackThis log.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 July 2005 - 08:02 AM

alright here is the hijack this log;

Logfile of HijackThis v1.99.1
Scan saved at 8:48:13 AM, on 27/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bsror.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [MSConfig] C:\EmergencyUtils\Copy_of_MSConfig.exe /auto
O4 - HKLM\..\Run: [xs4X3ni] oakre.exe
O4 - HKLM\..\Run: [WindowsUpdate] C
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fggkzc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zelsnx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\Run: [mfcjm32.exe] C:\WINDOWS\mfcjm32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [kpanafun] C:\WINDOWS\kpanafun.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\gah32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [8i8m8i3h] C:\WINDOWS\System32\8i8m8i3h.exe
O4 - HKLM\..\Run: [4uF4] C:\WINDOWS\tgjkuq.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\1st Security Agent\newadmin.exe" saskda
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Oaso] C:\Documents and Settings\Rob\Application Data\hebp.exe
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" /STARTUP
O4 - HKCU\..\Run: [gBv7RhG8X] nweit142.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rCabInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Malware Scanner_is1 - {DEC20716-CAA0-2A38-AE59-8A5F00B4A66C} - c:\program files\malwarescanner\wmfsyza32.dll (file missing)
O21 - SSODL: LiveUpdate - {C2D9EEFC-AF32-1F57-FBD4-D83D8F5F1B78} - c:\program files\symantec\liveupdate\ykko32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINDOWS\svchoct.exe

Here is the Winpfind log as well

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

Checking Selected Standard Folders

Checking %SystemDrive% folder...
PEC2 16/05/2005 5:06:04 PM 176876 C:\crash.txt

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
SAHAgent 03/05/2005 8:26:24 AM 35 C:\WINDOWS\SYSTEM32\00ntlu1i.ini
FSG! 11/07/2005 10:06:32 AM 2656 C:\WINDOWS\SYSTEM32\154250.exe
FSG! 18/07/2005 9:58:52 AM 6311 C:\WINDOWS\SYSTEM32\55781.exe
SAHAgent 25/07/2005 6:25:06 PM 3749 C:\WINDOWS\SYSTEM32\8i8m8i3h.ini
FSG! 13/07/2005 5:37:44 PM 6747 C:\WINDOWS\SYSTEM32\92515.exe
PEC2 23/08/2001 8:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 23/08/2001 8:00:00 AM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 03/05/2005 8:26:24 AM 35 C:\WINDOWS\SYSTEM32\usvhuno2.ini
FSG! 08/07/2005 3:37:52 PM 3360 C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
winsync 23/08/2001 8:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
FSG! 03/05/2005 8:25:58 AM 398742 C:\WINDOWS\SYSTEM32\Zelsnxk1.xml

Checking %System%\Drivers folder and sub-folders...

Checking the Windows folder for system and hidden files within the last 60 days...
08/07/2005 8:34:42 AM 54156 C:\WINDOWS\QTFont.qfn
13/07/2005 3:50:54 PM 32 C:\WINDOWS\{513E9149-531D-459B-A1BC-AEC5155861E8}.dat
27/07/2005 8:46:40 AM 8192 C:\WINDOWS\system32\config\default.LOG
27/07/2005 8:46:50 AM 1024 C:\WINDOWS\system32\config\SAM.LOG
27/07/2005 8:46:44 AM 12288 C:\WINDOWS\system32\config\SECURITY.LOG
27/07/2005 8:48:06 AM 118784 C:\WINDOWS\system32\config\software.LOG
27/07/2005 8:46:42 AM 749568 C:\WINDOWS\system32\config\system.LOG
25/07/2005 7:07:42 PM 69 C:\WINDOWS\system32\GroupPolicy\Adm\admfiles.ini
27/07/2005 2:23:50 AM 6 C:\WINDOWS\Tasks\SA.DAT

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
23/02/2005 6:26:44 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
21/02/2005 2:48:02 PM 513 C:\Documents and Settings\Kelly\Application Data\AdobeDLM.log
21/02/2005 2:47:24 PM 0 C:\Documents and Settings\Kelly\Application Data\dm.ini

Checking Selected Registry Keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = E:\Ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BPS.Spyware.Adware.Remover
{7306D133-DBED-4096-84A3-8B98B23F02B4} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MS
{1457A8BB-D8BF-4C0F-B249-3CCFE652CE44}} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
load32 C:\WINDOWS\System32\winldra.exe
MSConfig C:\EmergencyUtils\Copy_of_MSConfig.exe /auto
zzsecagent
xs4X3ni oakre.exe
WindowsUpdate C
version C:\WINDOWS\System32\Fggkzc.exe
Veritas Patch veritas.exe
UserFaultCheck %systemroot%\system32\dumprep 0 -u
TBPS C:\PROGRA~1\Toolbar\TBPS.exe
System CSRSS Patch scrtkfg.exe
System C:\WINDOWS\System32\kernels32.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Spyware Nuker C:\Program Files\Spyware Nuker 2004\swn2.exe /h
SpySpotter C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
SpyHunter C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
SoundMan SOUNDMAN.EXE
SmcService C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
secure C:\WINDOWS\System32\Zelsnx.exe
RemoteControl "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
PPPOEOE winlite.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
Microsoft Update Machine winnie.exe
mfcjm32.exe C:\WINDOWS\mfcjm32.exe
Media Access C:\Program Files\Media Access\MediaAccK.exe
kpanafun C:\WINDOWS\kpanafun.exe
IST Service C:\Program Files\ISTsvc\istsvc.exe
IgfxTray C:\WINDOWS\System32\igfxtray.exe
iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
ccApp C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Anti-Virus Update Scheduler V1.39.12R C:\WINDOWS\gah32.exe
A70F6A1D-0195-42a2-934C-D8AC0F7C08EB rundll32.exe E6F1873B.DLL,D9EBC318C
98D0CE0C16B1 rundll32.exe D0CE0C16B1,D0CE0C16B1
8i8m8i3h C:\WINDOWS\System32\8i8m8i3h.exe
4uF4 C:\WINDOWS\tgjkuq.exe
00saskda "C:\Program Files\1st Security Agent\newadmin.exe" saskda

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
MicrosoftAntiSpywareCleaner C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ZeroSpyware Lite "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP
SpySheriff C:\Program Files\SpySheriff\SpySheriff.exe
Oaso C:\Documents and Settings\Rob\Application Data\hebp.exe
NetGuard Lite "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" /STARTUP
gBv7RhG8X nweit142.exe
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe C:\WINDOWS\System32\kernels32.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Malware Scanner_is1
{DEC20716-CAA0-2A38-AE59-8A5F00B4A66C} = c:\program files\malwarescanner\wmfsyza32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\LiveUpdate
{C2D9EEFC-AF32-1F57-FBD4-D83D8F5F1B78} = c:\program files\symantec\liveupdate\ykko32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
Debugger = C:\WINDOWS\System32\grpmnt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

Scan Complete
WinPFind v1.2.4 - Log file written to "WinPFind.Txt" in the WinPFind folder.


I had originally tried to control some of this malware through selective startup which worked somewhat at first but obviuosly not anymore...

Rob

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 27 July 2005 - 12:30 PM

Hi robjl3. Yup, we pretty much have a mess here. Here's what I need you to do. Turn off MsConfig by starting a new task for msconfig.exe and then when the window opens you should be on the General tab. Click on the Normal Startup item. Then press ok until you are out of the program. It will ask you to reboot so reboot normally.

Now start HijackThis again and perform a new scan. Post the contents back here so I can review it and then we will get to work.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 27 July 2005 - 08:57 PM

We're back to normal startup and here's my log:

Logfile of HijackThis v1.99.1
Scan saved at 9:53:44 PM, on 27/07/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Ewido\security suite\ewidoctrl.exe
E:\Ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\svchoct.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bsror.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [xs4X3ni] oakre.exe
O4 - HKLM\..\Run: [WindowsUpdate] C
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fggkzc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spyware Nuker] C:\Program Files\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe -onreboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zelsnx.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\Run: [mfcjm32.exe] C:\WINDOWS\mfcjm32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [kpanafun] C:\WINDOWS\kpanafun.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\gah32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [8i8m8i3h] C:\WINDOWS\System32\8i8m8i3h.exe
O4 - HKLM\..\Run: [4uF4] C:\WINDOWS\tgjkuq.exe
O4 - HKLM\..\Run: [00saskda] "C:\Program Files\1st Security Agent\newadmin.exe" saskda
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ZeroSpyware Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\ZeroSpyware Lite.exe" -STARTUP
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Oaso] C:\Documents and Settings\Rob\Application Data\hebp.exe
O4 - HKCU\..\Run: [NetGuard Lite] "C:\Program Files\FBM Software\ZeroSpyware Lite\NetGuard Lite.exe" /STARTUP
O4 - HKCU\..\Run: [gBv7RhG8X] nweit142.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/...rCabInstall.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Malware Scanner_is1 - {DEC20716-CAA0-2A38-AE59-8A5F00B4A66C} - c:\program files\malwarescanner\wmfsyza32.dll (file missing)
O21 - SSODL: LiveUpdate - {C2D9EEFC-AF32-1F57-FBD4-D83D8F5F1B78} - c:\program files\symantec\liveupdate\ykko32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - E:\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Ewido\security suite\ewidoguard.exe
O23 - Service: svchost.exe (moto) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: svchoct.exe (yuto) - Unknown owner - C:\WINDOWS\svchoct.exe

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 28 July 2005 - 12:19 AM

Hi robjl3. Ok, let's see what we can do with this. Please print these directions and then proceed with the following steps in order.

Step #1

First we need to stop a couple of services. Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"moto")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 10000
objService.ChangeStartMode("Disabled")
wscript.Sleep 5000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Now double-click on remsvc.vbs again and type yuto into the editbox and click on the Ok button. Again, wait for the message box stating the service has been removed or marked for deletion.

Step #2

Download CleanUp! and install it but do not run it yet.

Download Pocket Killbox and unzip it to your desktop.

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"=-
"Shell"="Explorer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe]
"Debugger"=-


Step #3

Double-click on KillBox.exe to launch the program.
  • Highlight the files in bold below and press the Ctrl key and the C key at the same time to copy them to the clipboard
    • C:\WINDOWS\SYSTEM32\00ntlu1i.ini
      C:\WINDOWS\SYSTEM32\154250.exe
      C:\WINDOWS\SYSTEM32\55781.exe
      C:\WINDOWS\SYSTEM32\8i8m8i3h.ini
      C:\WINDOWS\SYSTEM32\92515.exe
      C:\WINDOWS\SYSTEM32\usvhuno2.ini
      C:\WINDOWS\SYSTEM32\vxh8jkdq5.exe
      C:\WINDOWS\SYSTEM32\Zelsnxk1.xml
      C:\WINDOWS\System32\winldra.exe
      C:\WINDOWS\System32\Fggkzc.exe
      C:\WINDOWS\System32\kernels32.exe
      C:\WINDOWS\System32\Zelsnx.exe
      C:\WINDOWS\System32\grpmnt.exe
      C:\WINDOWS\mfcjm32.exe
      C:\WINDOWS\kpanafun.exe
      C:\WINDOWS\gah32.exe
      C:\WINDOWS\tgjkuq.exe
      C:\WINDOWS\yjbyn.dll
      C:\WINDOWS\svchost.exe
      C:\WINDOWS\svchoct.exe
      C:\WINDOWS\{513E9149-531D-459B-A1BC-AEC5155861E8}.dat
      C:\Program Files\Toolbar
      C:\Program Files\Media Access
      C:\Program Files\ISTsvc
      C:\Program Files\SpySheriff
      c:\program files\malwarescanner\wmfsyza32.dll
      c:\program files\symantec\liveupdate\ykko32.dll
      C:\Documents and Settings\Rob\Application Data\hebp.exe
  • In Killbox click on the File menu and then the Paste from Clipboard item
  • In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
  • Click the option to Delete on Reboot
  • Click the checkbox for Unregister .dll Before Deleting
  • If not greyed out click the checkbox for Deltree (Include SubDirectories)
  • Now click on the red button with a white 'X' in the middle to delete the files
  • Click Yes when it says all files will be deleted on the next reboot
  • Click Yes when it asks if you want to reboot now and reboot into Safe Mode
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually
After rebooting into Safe Mode do the following:

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.oakre.exe
scrtkfg.exe
winlite.exe
winnie.exe
E6F1873B.DLL
nweit142.exe
veritas.exe

Step #4

Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Step #5

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bsror.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\yjbyn.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [xs4X3ni] oakre.exe
O4 - HKLM\..\Run: [WindowsUpdate] C
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Fggkzc.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Zelsnx.exe
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\Run: [mfcjm32.exe] C:\WINDOWS\mfcjm32.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [kpanafun] C:\WINDOWS\kpanafun.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\gah32.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [8i8m8i3h] C:\WINDOWS\System32\8i8m8i3h.exe
O4 - HKLM\..\Run: [4uF4] C:\WINDOWS\tgjkuq.exe
O4 - HKLM\..\RunServices: [System CSRSS Patch] scrtkfg.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] winnie.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels32.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [Oaso] C:\Documents and Settings\Rob\Application Data\hebp.exe
O4 - HKCU\..\Run: [gBv7RhG8X] nweit142.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O21 - SSODL: Malware Scanner_is1 - {DEC20716-CAA0-2A38-AE59-8A5F00B4A66C} - c:\program files\malwarescanner\wmfsyza32.dll (file missing)
O21 - SSODL: LiveUpdate - {C2D9EEFC-AF32-1F57-FBD4-D83D8F5F1B78} - c:\program files\symantec\liveupdate\ykko32.dll (file missing)

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #6

Run CWShredder
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
Step #7

Start CleanUp! and do the following:
  • Click the Options button.
  • Make sure only the following are checked:
    • Empty Recycle Bins
    • Delete Cookies
    • Delete Prefetch files (XP only)
    • Scan local drives for temporary files
    • Cleanup! All Users
  • Click the Ok button to close the Opetions dialog.
  • Click the CleanUp! button to run the cleanup. It may take a while depending on the size of the hard drive so be patient.
  • When it has finished, close CleanUp!.
Step #8

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #9

Your operating system is extremely out of date. By not keeping the OS updated the computer is vulnerable to every infection on the net and in emails today and trying to repair an unpatched system is virtually impossible. For update purposes, Microsoft has even stopped supporting a system that is this far out of date. Go to the Windows Update site and install Service Pack 2. Once that is done, go back to the Windows Update site and install all available Critical Updates. This will patch the system with the most current security fixes and plug all the known holes which are present on this system.

Step #10

OK. After the update, reboot your computer normally, start HijackThis and perform a new scan.

Now run a new WinPFind scan.

Use the Add Reply button to post HijackThis and WinPFind log files back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 02 August 2005 - 06:58 PM

Ok got as far as running killbox and reboot in safe mode but unfortunatley I cannot open C:\windows\explorer.exe and search for those files...

In the taskmanager I got to file, new task, in the box type the exact location of explorer and the error reads 'cannot find file, make you typed the name correctly and try again. To search press start menu and search for file name... kinda stuck here not sure how to get explorer back...?

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:05 PM

Posted 02 August 2005 - 09:52 PM

Hi robjl3. Do step 4 first, reboot the machine and try step 3 again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 robjl3

robjl3
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:05 PM

Posted 02 August 2005 - 10:24 PM

did that and machine will not allow "paste from clipboard....

B/c no desktop icons exist I have saved the txt to be pasted as notepad file, saved to usb flash drive, opened the notepad doc, copied txt then ran killbox, pressed 'file', 'paste from clipboard' and nothing...

However, tried right clicking in 'full path of file to delete' field and one file comes up (C:\WINDOWS\SYSTEM32\00ntlu1i.ini) but nothing else appears from the drop down arrow...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users