Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log / Scarlett


  • Please log in to reply
35 replies to this topic

#1 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 02 September 2005 - 01:25 PM

I have only noticed just recently. That when I attempt to create a new desktop folder, they appear with strange names. Such as Woodpecker, Kingfisher. bulbul, loon, and Swan. All are bird names, even bul bul.

I know this sounds silly. But I am terribly concerned. I am able to re-name them. And delete them. But why are they created with these names? Instead of just being named "New Folder", till I change the names myself.

I run Spybot, AdAware, AVG Free, and A-Squared. I also have Spywareblaster.

Has any of you ever heard of such a thing a this?

Edit: I was advised by OT to post a new log after,
once I went from selective startup, and went to normal startup
So here it is.


Logfile of HijackThis v1.99.1
Scan saved at 2:41:49 PM, on 9/2/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HIJACKTHIS_SFX\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://.www.msn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [WeatherWatcher] C:\PROGRAM FILES\WEATHER WATCHER\ww.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .wrl: C:\Program Files\Concentric\Internet Kit\Program\PLUGINS\npl3d32.dll
O14 - IERESET.INF: START_PAGE_URL=http://.www.msn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://.www.msn.com
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/.../ymmapi_416.dll
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/exterior/Outside.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com/components/ocx/survid/MSSurVid.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by9fd.bay9.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {C1BAC744-8F0B-11D0-89E7-00C0A8295197} (Cameractl Class) - http://www.scottishgolf.com/webcam/push.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.mapguide.com/Downloads/MG_R6.3/...er/mgaxctrl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/...363/mcfscan.cab
O16 - DPF: {51045741-8C4E-4EAC-8F03-08E43A6FBB29} - http://c.ancestry.com/cab/aft/AncestryFamilyTree.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://142.163.191.17/activex/AxisCamControl.ocx
O16 - DPF: {70FBDD76-044D-40C4-95E0-E15791C24AA4} (GViewer.GuardianViewer) - http://www.guardiansoftware.com/GAudit.CAB
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by18fd.bay18.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support2.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

Edited by Scarlett, 02 September 2005 - 09:18 PM.

Posted Image

BC AdBot (Login to Remove)

 


m

#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 03 September 2005 - 05:30 AM

Scan again with HijackThis and check the following items:

O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer

Run Panda's online virus scan and perform a full system scan: Panda ActiveScan

Save the scan log and post it in your next reply.

Also do this:

Download Silent Runners
Unzip it to a permanent folder.
Start SilentRunners.vbs
When your antivirus is giving an alert, do not block this. Allow the script.
Copy and paste the content of the txtfile you get afterwards in your next reply.

#3 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 03 September 2005 - 08:21 PM

It took four attempts to complete the Panda scan. Twice with the installation. And twice to get the actual scan going. I'd like to note that I already had the neccessary install for Panda, from a prior date. It shows in my log. Why did it have to install again?

And about half way through. I received warnings of low resources. The amount of disc space I was told I had, fluctuated constantly. It was crazy. I had 284 MB available, before I started.
I realize that is a low amount. But I deal with it. It can go up to near 400 MB after routine maintence. Lately, the amout of disc space seems to get drained easily. Which I find to be strange.

But I was alerted that I had like 24, 10, 5, and 0. MB's. The #'s kept going up and down. OMG I freaked out. I wanted to keep the scan going. I was afraid my system would blow. LOL So I started deleting some stuff. And dumping some programs. CCleaner, InfranView, YahooIM, A-Squared. I kept the most neccesary ones. Now even w/o a re-boot I am up to 294 MB.
Would whatever intruder(s) that are in my system cause this? I hope that I did not screw up. I believed I had no choice in the matter. One can not run a computer on zero resources. Plus I was worried that if I aborted the scan. I would have trouble getting it going again.

I have trouble booting up and re-starting too. The system froze three times when trying to re-boot after the deletions in HJT. Once it finally booted, I tried to open Bleeping Computer through it's quick launch icon. And there was no toolbar when opened. So I had to go through my home page. But the next time I clicked on the BC icon it opened just fine.


Incident Status Location

Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM\SWRT01.DLL
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\i504b6s.dll
Spyware:Spyware/Surf+ ProtectorNo disinfected C:\WINDOWS\SYSTEM\SurfScanUpdate.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\in1bLs.dll
Adware:Adware/KeenValue No disinfected C:\WINDOWS\SYSTEM\setup_incred_1.exe
Possible Virus. No disinfected C:\WINDOWS\SYSTEM\msmene.dll
Adware:Adware/Gator No disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
Adware:Adware/GonnaSearch No disinfected C:\Program Files\Internet Explorer\Toolbar\install.exe
Adware:Adware/ActiveSearch No disinfected C:\Program Files\Internet Explorer\Toolbar\toolbar.dll
Adware:Adware/FunWeb No disinfected C:\HJT\backups\backup-20040727-213203-292.inf

I forgot about d/l 'ing Silent Runners. I was such a wreck after the chaos of doing Panda. But I will try to do it now. OK

Thanks for all your help. I'm no expert but it looks as if I have some nasty stuff in my system.

Silent Runners:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows Me (Millennium Edition)
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"WeatherWatcher" = "C:\PROGRAM FILES\WEATHER WATCHER\ww.exe" [file not found]
"SpybotSD TeaTimer" = "C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TeaTimer.exe" ["Safer Networking Limited"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"AVG7_CC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE" ["GRISOFT, s.r.o."]
"AVG7_AMSVR" = "C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE" ["GRISOFT, s.r.o."]
"LoadQM" = "loadqm.exe" [MS]
"TaskMonitor" = "c:\windows\taskmon.exe" [MS]
"SystemTray" = "SysTray.Exe" [MS]
"ScanRegistry" = "c:\windows\scanregw.exe /autorun" [MS]
"Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
"PCHealth" = "c:\windows\PCHealth\Support\PCHSchd.exe -s" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ {++}
"LoadPowerProfile" = "Rundll32.exe powrprof.dll,LoadCurrentPwrScheme" [MS]
"TrueVector" = "C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service" ["Zone Labs, LLC"]
"*StateMgr" = "C:\WINDOWS\System\Restore\StateMgr.exe" [MS]
"KB891711" = "c:\windows\SYSTEM\KB891711\KB891711.EXE" [MS]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{44BBA842-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "NetMeeting 3.01"
\StubPath = "rundll32.exe advpack.dll,LaunchINFSection c:\windows\INF\msnetmtg.inf,NetMtg.Remove.PerUser.W95" [MS]
PerUser_CVT_Inis\(Default) = "Windows Setup - FAT32 Converter"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_CVT_Inis 64 c:\windows\INF\applets1.inf" [MS]
PerUser_Enable_Inis\(Default) = "Windows Setup - Accessibility"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Enable_Inis_remove 64 c:\windows\INF\enable.inf" [MS]
PerUser_Wingames_Inis\(Default) = "Windows Setup - Classic Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Wingames_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_ZoneGame_Inis\(Default) = "Windows Setup - Internet Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_ZoneGame_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_PBGame_Inis\(Default) = "Windows Setup - Plus! Games"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_PBGame_Rem_Inis 64 c:\windows\INF\games.inf" [MS]
PerUser_RNA_Inis\(Default) = "Windows Setup - Dial-Up Networking"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_RNA_remove 64 c:\windows\INF\rna.inf" [MS]
PerUser_DCC_Inis\(Default) = "Windows Setup - Direct Cable Connection"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_DCC_Inis_remove 64 c:\windows\INF\rna.inf" [MS]
PerUser_Onlinelnks_Inis\(Default) = "Windows Setup - HyperTerminal"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Onlinelnks_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
PerUser_Dialer_Inis\(Default) = "Windows Setup - Phone Dialer"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection PerUser_Dialer_Inis_remove 64 c:\windows\INF\appletpp.inf" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\(Default) = "Microsoft Outlook Express 6"
\StubPath = ""C:\Program Files\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /uninstall" [MS]
OlsAolPerUser\(Default) = "Windows Setup - America Online"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAolPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsAttPerUser\(Default) = "Windows Setup - AT&T WorldNet Service"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsAttPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsProdigyPerUser\(Default) = "Windows Setup - Prodigy Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsProdigyPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
OlsEarthlinkPerUser\(Default) = "Windows Setup - Earthlink Internet"
\StubPath = "rundll.exe c:\windows\SYSTEM\setupx.dll,InstallHinfSection OlsEarthlinkPerUserRemove 64 c:\windows\INF\ols.inf" [MS]
{44BBA840-CC51-11CF-AAFA-00AA00B6015C}.Restore\(Default) = "Microsoft Outlook Express 6"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}" [MS]
{7790769C-0471-11d2-AF11-00C04FA35D02}.Restore\(Default) = "Address Book 5"
\StubPath = "rundll32.exe advpack.dll,UserUnInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ALZip\(Default) = "{4EB37360-49E8-11D3-95B5-004033382980}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\ESTSOFT\ALZIP\AZCTM.DLL" ["estsoft"]


System Policies [Description]:
------------------------------

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\
HIJACK WARNING! "HomePage"=dword:00000001
[disables the Home page field in Internet Options|General (tab)]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "c:\windows\Setup.bmp"


WIN.INI & SYSTEM.INI launch points:
-----------------------------------

SYSTEM.INI
[boot]
"SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DTEXT~1.SCR" (3D Text.scr) [MS]


Enabled Scheduled Tasks:
------------------------

"Tune-up Application Start" -> launches: "walign" [MS]
"PCHealth Scheduler for Data Collection" -> launches: "C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE -c" [MS]
"Maintenance-Defragment programs" -> launches: "C:\WINDOWS\DEFRAG.EXE /SAGERUN:0" [MS]
"Maintenance-ScanDisk" -> launches: "C:\WINDOWS\SCANDSKW.EXE /SAGERUN:0 /ALL /N" [MS]
"Maintenance-Disk cleanup" -> launches: "C:\WINDOWS\CLEANMGR.EXE /SAGERUN:0" [MS]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "c:\windows\SYSTEM\rnr20.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
00000000000#\PackedCatalogItem (contains) DLL [Company Name], (at) # range:
c:\windows\SYSTEM\mswsosp.dll [MS], 1 - 4
c:\windows\SYSTEM\msafd.dll [MS], 5 - 7
c:\windows\SYSTEM\rsvpsp.dll [MS], 8 - 9


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{615067A3-4ACF-4674-86F7-E0650B1257BB}\ = "My Way Speedbar PopSwatter" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\SYSTEM\shdocvw.dll" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://.www.msn.com
[Strings]: SEARCH_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
[Strings]: MS_START_PAGE_URL=http://.www.msn.com

Missing lines (compared with English-language version):
[Strings]: 3 lines


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 61 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 58 seconds.
---------- (total run time: 233 seconds)

Edited by Scarlett, 03 September 2005 - 11:00 PM.

Posted Image

#4 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 03 September 2005 - 10:24 PM

I just checked my disc space in My Computer.
In there it shows that I have 284MB.

When I click on MY Computer properties.
And check "System Restore disc space use:
It shows 50MB as the max, and 20MB as the min.???

I think it normally shows 200MB min. and I think 400 - 500 max.
Not sure though.

What the heck is going on?

Edited by Scarlett, 03 September 2005 - 10:26 PM.

Posted Image

#5 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 04 September 2005 - 05:40 AM

First we'll clean some nasty stuff:

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\SWRT01.DLL
    C:\WINDOWS\SYSTEM\SurfScanUpdate.exe
    C:\WINDOWS\SYSTEM\setup_incred_1.exe
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
    C:\Program Files\Internet Explorer\Toolbar\install.exe
    C:\Program Files\Internet Explorer\Toolbar\toolbar.dll
    C:\HJT\backups\backup-20040727-213203-292.inf


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

  • Let the system reboot.
---------------------------------------------------------

Make sure all hidden files and folders are visible (Instructions )

Please go to this site: http://virusscan.jotti.org/
On top you'll find "File to upload and scan".
Browse to the next files, submit them on that site and let them scan:

C:\WINDOWS\SYSTEM\i504b6s.dll
C:\WINDOWS\SYSTEM\in1bLs.dll
C:\WINDOWS\SYSTEM\msmene.dll


Several scanning engines will be used to check the files for any threats. Please post the results of the scans back here.

-------------------------------------------

Also do this:

Please download OldTimer's Winpfind from here:
http://www.bleepingcomputer.com/files/winpfind.php
Unzip it to the desktop and run Winpfind.exe.

Once the scan is finished, please CLOSE the Notepad window that pops up. Then please post the entire contents of the logfile winpfind.txt here for me.

#6 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 04 September 2005 - 11:38 AM

I followed the Killbox instructions.

Then submitted the files mentioned to Jottie.

Findings:

C:\WINDOWS\SYSTEM\msmene.dll

Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 8d334599c1ebd8cafefa3aefcbb2e812
Packers detected: PE_PATCH, TELOCK
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

C:\WINDOWS\SYSTEM\in1bLs.dll

Status: INFECTED/MALWARE
MD5 b1ae15cd72983efc2fee23918ac458bf
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Trojan.Downloader.Keenval-3
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.of
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Embedded.Installer.TrojanDownloader.Keenval (probable variant)


C:\WINDOWS\SYSTEM\i504b6s.dll

Status: INFECTED/MALWARE
MD5 21caafeccfab3ee80530877bda288eed
Packers detected: UPX
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Dropper.Win32.Agent.of
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Embedded.Adware.Sahat.b (probable variant)


:thumbsup: OMG It looks bad!

I will post the results from, Winpfind.exe. in my next reply.
Posted Image

#7 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 04 September 2005 - 12:06 PM

  • Please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Select "Delete on Reboot".
  • Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\SYSTEM\in1bLs.dll
    C:\WINDOWS\SYSTEM\i504b6s.dll


  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

  • Let the system reboot.
---------------------------------------

Download this program:
submit files packer
Past the files into the tool.

[b]C:\WINDOWS\SYSTEM\msmene.dll[/b]

It will create an archive with these files and a small log on the desktop.
Send the archive to dick[dot]vd[at]gmail[dot]com

[dot]='.'
[at]='@'

Also post the Winpfind log!

#8 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 04 September 2005 - 12:20 PM

Hi didom

I am in the process of starting to scan w/ Winpfind.
Question, do I just click > scan?
Or do I need to configure the scan?

Please bear with me. :thumbsup: I had it started by just clicking on > scan

But was worried that I had to configure the scan.

So hit I ctrl alt del

In task manager WinPfind showed as not responding.
Is this something to be concerned about?

Or was it in fact scanning? It seemed that it was.

Edited by Scarlett, 04 September 2005 - 12:27 PM.

Posted Image

#9 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 04 September 2005 - 12:24 PM

Just click start scan !

#10 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 04 September 2005 - 05:33 PM

I have sent the archive via e-mail.

I deleted these files w/ Killbox


C:\WINDOWS\SYSTEM\in1bLs.dll
C:\WINDOWS\SYSTEM\i504b6s.dll


I must ask you again to please have patience with me. :thumbsup:
Because I have more questions concerning WinPFind.

How long should it take?

I had it running for 2 and 1/2 hours and it still was not done. So I had to stop it.
I have somewhere to go this evening, that I can't get out of. Involving work, since tomorrow is a holiday here in the US. There is no rest for the weary, I'm afraid.
And will not be able to get it running again till late tonight.


Would it be ok, to start it and then go to bed?

Would screensaver interupt it?

If so, how do I turn screensaver off? I have ME.


If I cant let it run overnight. I will start it tomorrow ASAP.

I'll check back in, around midnight. C.S.Time

Thank you for everything,

~ Scarlett

Edit: Never mind the above question, about turning off screensaver. I figured it out my self. I will run WinPFind when I go to bed.

Edited by Scarlett, 04 September 2005 - 08:44 PM.

Posted Image

#11 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 05 September 2005 - 01:30 AM

I recieved the file, thanks!

Now I'll wait for your winpfind log!

#12 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 05 September 2005 - 10:34 AM

Hi didom

I seem to be having trouble running WinPFind. I ran it for 9 and 1/2 hours. It showed two entries that is it. The same two that I showed yesterday when it had been running for 3 and 1/2 hours. It doesn't seem to be going anywhere. The HD light is flashing. So I assumed it was running ok. But isn't 9 + hours longer than usual for it to run?

I also ran it in safe mode. I only have a 2 gig HD.

What should I do?
I want to get this ran and be able to submit a log.
I wish I would of at least wrote down what it had found. I can at least get that info. once I try to run it again.

All I remember is.
Umonitor
PTech

The dates and times were the same for both.
Oct 26 2003 1:50 ( I don't recall whether it was PM or AM.)

The file names were the same as well.

(something)vund(o).dat ? (I think)

I will attempt to run it later today.
Unless I hear different from you.

BTW The interesting thing about the dates. Is that my computer had crashed right around then. The person that had given it to me. Came over and did something. I have no idea what. I was so new at computing then. He got it up and running though.

Edited by Scarlett, 05 September 2005 - 10:38 AM.

Posted Image

#13 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 05 September 2005 - 10:43 AM

Mmm, I'll ask OldTimer if he knows what's going wrong! Please wait for my next reply.... :thumbsup:

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:50 PM

Posted 05 September 2005 - 11:51 AM

There may be an entry in the Control Panel’s Add/Remove Programs list for ‘mscman’.
Can you please tell me if it is there?

#15 Scarlett

Scarlett

    Bleeping Diva

  • Topic Starter

  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:50 PM

Posted 05 September 2005 - 05:01 PM

No there is no "mscman" in add/remove.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users