Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

help- this things deeper than I can dig!


  • Please log in to reply
13 replies to this topic

#1 gkb

gkb

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 26 September 2005 - 02:38 PM

g'day eh?

Wow, a rare occasion where I have some form of control using the Internet!

I guess I was under the mistaken impression that I could actually handle this thing on my own... following some suggestions from previous posts here, using resources from AVG, Symantec, Spybot, Security Task Manager etc.. only to have this pesky bugger pop back up again (&again&again&again...) on re-booting.

One thing that remains constant in the many scans done is the 'Hosts file' redirects, which must be pointing somewhere out of the reach of my humble (or is that pathetic?) knowledge!

Therefore I must plead to the mercy of the Bleeping masses for assistance, or that would be able to help translate my 'Hijack This' log. Attached is the latest scan. Please advise if there's any other info that might be needed in this quest

thanks - greg

Logfile of HijackThis v1.99.1
Scan saved at 1:02:55 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:WINDOWSSystem32smss.exe
D:WINDOWSsystem32winlogon.exe
D:WINDOWSsystem32services.exe
D:WINDOWSsystem32lsass.exe
D:WINDOWSsystem32svchost.exe
D:WINDOWSSystem32svchost.exe
D:WINDOWSExplorer.EXE
D:WINDOWSsystem32spoolsv.exe
D:PROGRA~1GrisoftAVGFRE~1avgcc.exe
D:PROGRA~1GrisoftAVGFRE~1avgemc.exe
D:Program FilesMicrosoft AntiSpywaregcasServ.exe
D:MuSiC + DL programswinamp 5-1Winampwinampa.exe
D:Program FilesJavajre1.5.0_04injusched.exe
D:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
D:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
D:WINDOWSSystem32svchost.exe
D:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
D:hijack thisHijackThis.exe
D:WINDOWSWinVid32.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Local Page =
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Local Page =
O1 - Hosts: 127.0.2.5 symantec.com
O1 - Hosts: 127.0.2.5 sarc.com
O1 - Hosts: 127.0.2.5 www.sarc.com
O1 - Hosts: 127.0.2.5 www.sophos.com
O1 - Hosts: 127.0.2.5 www.mcafee.com
O1 - Hosts: 127.0.2.5 mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.2.5 www.viruslist.com
O1 - Hosts: 127.0.2.5 viruslist.com
O1 - Hosts: 127.0.2.5 f-secure.com
O1 - Hosts: 127.0.2.5 www.f-secure.com
O1 - Hosts: 127.0.2.5 f-prot.com
O1 - Hosts: 127.0.2.5 www.f-prot.com
O1 - Hosts: 127.0.2.5 kaspersky.com
O1 - Hosts: 127.0.2.5 kaspersky-labs.com
O1 - Hosts: 127.0.2.5 www.avp.com
O1 - Hosts: 127.0.2.5 avp.com
O1 - Hosts: 127.0.2.5 www.kaspersky.com
O1 - Hosts: 127.0.2.5 www.networkassociates.com
O1 - Hosts: 127.0.2.5 networkassociates.com
O1 - Hosts: 127.0.2.5 www.ca.com
O1 - Hosts: 127.0.2.5 ca.com
O1 - Hosts: 127.0.2.5 mast.mcafee.com
O1 - Hosts: 127.0.2.5 my-etrust.com
O1 - Hosts: 127.0.2.5 www.my-etrust.com
O1 - Hosts: 127.0.2.5 download.mcafee.com
O1 - Hosts: 127.0.2.5 dispatch.mcafee.com
O1 - Hosts: 127.0.2.5 secure.nai.com
O1 - Hosts: 127.0.2.5 nai.com
O1 - Hosts: 127.0.2.5 www.nai.com
O1 - Hosts: 127.0.2.5 vil.nai.com
O1 - Hosts: 127.0.2.5 us.mcafee.com
O1 - Hosts: 127.0.2.5 rads.mcafee.com
O1 - Hosts: 127.0.2.5 trendmicro.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 housecall.trendmicro.com
O1 - Hosts: 127.0.2.5 pandasoftware.com
O1 - Hosts: 127.0.2.5 www.pandasoftware.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 free.grisoft.com
O1 - Hosts: 127.0.2.5 clamav.net
O1 - Hosts: 127.0.2.5 www.clamav.net
O1 - Hosts: 127.0.2.5 free-av.com
O1 - Hosts: 127.0.2.5 www.free-av.com
O1 - Hosts: 127.0.2.5 www.avast.com
O1 - Hosts: 127.0.2.5 avast.com
O1 - Hosts: 127.0.2.5 cert.org
O1 - Hosts: 127.0.2.5 www.cert.org
O1 - Hosts: 127.0.2.5 microsoft.com
O1 - Hosts: 127.0.2.5 www.virustotal.com
O1 - Hosts: 127.0.2.5 virustotal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:Program

FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O4 - HKLM..Run: [AVG7_CC] D:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [AVG7_EMC] D:PROGRA~1GrisoftAVGFRE~1avgemc.exe
O4 - HKLM..Run: [gcasServ] "D:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 - HKLM..Run: [WinampAgent] D:MuSiC + DL programswinamp 5-1Winampwinampa.exe
O4 - HKLM..Run: [SunJavaUpdateSched] D:Program FilesJavajre1.5.0_04injusched.exe
O4 - HKLM..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKLM..RunServices: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKCU..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:Program FilesAdobeAcrobat

7.0Reader
eader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:Program

FilesJavajre1.5.0_04in
pjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:Program FilesJavajre1.5.0_04in
pjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:Program

FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}

- D:Program FilesMessengermsmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ite.cab?1126279

061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...site.cab?112627

9107890
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) -

http://runonce.msn.com/setacceptlang.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"D:PROGRA~1MSNMES~1msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner -

D:WINDOWSSystem32winsDLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner -

D:WINDOWSSystem32winssvchost.exe (file missing)
O23 - Service: Windows 32 Bit (Windows 32 Bit Drivers) - Unknown owner -

D:WINDOWSWinVid32.exe

Mod Edit - Moved to appropriate forum - Leurgy

Edited by Leurgy, 26 September 2005 - 03:04 PM.


BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 30 September 2005 - 12:10 PM

Hello gkb and welcome to the BC HijackThis forum. Let's try and get an accurate log file posted so we can take a look at it.

We need a complete HijackThis (HJT) log file to be able to analyze what is happening on your computer. Boot normally, start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. If the log is not inNotepad then close whatever application has opened and open the log in Notepad. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 01 October 2005 - 01:42 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:31:29 AM, on 10/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\system32\aimplugin.exe
D:\Program Files\Messenger\msmsgs.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\WINDOWS\system32\notepad.exe
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.2.5 symantec.com
O1 - Hosts: 127.0.2.5 sarc.com
O1 - Hosts: 127.0.2.5 www.sarc.com
O1 - Hosts: 127.0.2.5 www.sophos.com
O1 - Hosts: 127.0.2.5 www.mcafee.com
O1 - Hosts: 127.0.2.5 mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.2.5 www.viruslist.com
O1 - Hosts: 127.0.2.5 viruslist.com
O1 - Hosts: 127.0.2.5 f-secure.com
O1 - Hosts: 127.0.2.5 www.f-secure.com
O1 - Hosts: 127.0.2.5 f-prot.com
O1 - Hosts: 127.0.2.5 www.f-prot.com
O1 - Hosts: 127.0.2.5 kaspersky.com
O1 - Hosts: 127.0.2.5 kaspersky-labs.com
O1 - Hosts: 127.0.2.5 www.avp.com
O1 - Hosts: 127.0.2.5 avp.com
O1 - Hosts: 127.0.2.5 www.kaspersky.com
O1 - Hosts: 127.0.2.5 www.networkassociates.com
O1 - Hosts: 127.0.2.5 networkassociates.com
O1 - Hosts: 127.0.2.5 www.ca.com
O1 - Hosts: 127.0.2.5 ca.com
O1 - Hosts: 127.0.2.5 mast.mcafee.com
O1 - Hosts: 127.0.2.5 my-etrust.com
O1 - Hosts: 127.0.2.5 www.my-etrust.com
O1 - Hosts: 127.0.2.5 download.mcafee.com
O1 - Hosts: 127.0.2.5 dispatch.mcafee.com
O1 - Hosts: 127.0.2.5 secure.nai.com
O1 - Hosts: 127.0.2.5 nai.com
O1 - Hosts: 127.0.2.5 www.nai.com
O1 - Hosts: 127.0.2.5 vil.nai.com
O1 - Hosts: 127.0.2.5 us.mcafee.com
O1 - Hosts: 127.0.2.5 rads.mcafee.com
O1 - Hosts: 127.0.2.5 trendmicro.com
O1 - Hosts: 127.0.2.5 housecall.trendmicro.com
O1 - Hosts: 127.0.2.5 pandasoftware.com
O1 - Hosts: 127.0.2.5 www.pandasoftware.com
O1 - Hosts: 127.0.2.5 free.grisoft.com
O1 - Hosts: 127.0.2.5 clamav.net
O1 - Hosts: 127.0.2.5 www.clamav.net
O1 - Hosts: 127.0.2.5 free-av.com
O1 - Hosts: 127.0.2.5 www.free-av.com
O1 - Hosts: 127.0.2.5 www.avast.com
O1 - Hosts: 127.0.2.5 avast.com
O1 - Hosts: 127.0.2.5 cert.org
O1 - Hosts: 127.0.2.5 www.cert.org
O1 - Hosts: 127.0.2.5 microsoft.com
O1 - Hosts: 127.0.2.5 www.virustotal.com
O1 - Hosts: 127.0.2.5 virustotal.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - HKLM\..\RunServices: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - HKCU\..\Run: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126279061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126279107890
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: WINS Client (RpcPatch) - Unknown owner - D:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - D:\WINDOWS\System32\wins\svchost.exe (file missing)
O23 - Service: Windows 32 Bit (Windows 32 Bit Drivers) - Unknown owner - D:\WINDOWS\WinVid32.exe

==================================================
I had a heck of a time accessing a browser the past few days - links just weren't happening. A reboot was a necessary evil to get this far - unfortunately here we go again in the perpetual AVG warnings department!
I should note that this all started when the HD with the opsys crashed. Installing windows to a different drive left the door open just enough for the mayhem to slip through (yeah, the cable got disconnected after the fact!)

thanks for your consideration...

greg

#4 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 01 October 2005 - 02:25 AM

Re: " Add any other comments which you believe might be helpful in our analysis":

- AVG Resident Shield 'Virus Detected' notice (shows in perpetuity) stating:
"Trojan horse Generic.GM while opening D:\WINDOWS\system32\rdriv.sys"

Immediate Response:
===============================
-MS Antispyware program run with the following files deleted:
_D:\windows\hosts
_D:\windows\hosts
"Host file redirection of 127.0.2.5 www.microsoft.com (... -fades out after that!)..."

-Symatec on-line solution reported and 'supposedly' cleaned the following:
_D:\f131439.exe is infected with Bloodhound.Morphine
_D:\f164285.exe is infected with Bloodhound.Morphine
_D:\WINDOWS\WinVid32.exe is infected with Bloodhound.Morphine
_D:\Documents and Settings\Greg\Application _Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1e891821-55ce7a6d.zip
is infected with Trojan.ByteVerify

-The 30-day trial of System Security Manager found the following files:
_D:\WINDOWS\AIMplugin(1&2)
_D:\WINDOWS\Explorerl.exe
_D:\WINDOWS\smss.exe
_D:\WINDOWS\winampa.exe
All of the above have been placed in "quarantine"
(S.S.M. reports on the text content of each available for reference if needed)
(the 'real' D:\windows\system32\smss.exe & D:\windows\system32\winampa.exe remain in place)

-On downloading Hijackthis the following files were reported:
_line 023- Service: SMSS - Unknown owner - D:\WINDOWS\smss.exe (file missing)
_line 023- Service: Windows 32 Bit (Windows 32 Bit Drivers) - Unknown owner - D:\WINDOWS\WinVid32.exe
_line 023- Service: Network Connections Sharing (RpcTftpd) - Unknown owner - D:\WINDOWS\System32\wins\svhost.exe (file missing)
_line 023- Service: WINS Client (RpcPatch) - Unknown owner - D:\WINDOWS\\System32\wins\DLLHOST.EXE (file missing)

-'Search' info on these files all reported: W32 WELCHIAWORM & W32/Nachi-Aworm
and were subsequently 'checked' and 'Fixed'.

===========================================

-oops - I failed to mention that out of frustration with my browser earlier, I disabled my "Sun Java Console"(not verified). It is labeled as a browser extension with the filename: npjpi150_04.dll

-Also: during my initial reaction, a 'search' brought me to a 'bleepingcomputer' response to a user with a similar situation re: "ioroxxo microsoft sux"
and the solution suggested there was followed.

-The following was also performed:

Click Start->Run - type SERVICES.MSC & then click on the OK button
Locate the service - Windows System32 (mswin32)
Double-click on it to open the Properties dialog.
Stop the service by using the Stop button.
Change the Startup type to Disabled & then click on the OK button
---------------------
Then start HiJackThis & go to Config>Misc.Tools...> Delete an NT service...
In the popup box that appears, type in mswin32 & then click on the OK button
---------------------
Double-click rdrivRem.bat to run the program - follow the instructions on the screen.

There! If that isn't enough information for you to now want to shoot me just let me know!
-g

Edited by gkb, 01 October 2005 - 03:08 AM.


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 03 October 2005 - 08:40 AM

Hi gkb. Ok, let's start with this. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

Download Hoster.zip and unzip it to your desktop.

Now we need to remove some services.

Open Notepad and Copy/Paste the contents of the quote box below into the new document:

 
Const title = "Service Removal Tool"

Set oWS = CreateObject("Wscript.Shell")
sService = inputbox("Removing Service:",title,"Windows 32 Bit Drivers")

If sService = "" then
msgbox "Script halted. No changes were made.", vbInformation, title
wscript.quit
End If

strComputer = "."
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colListOfServices = objWMIService.ExecQuery _
("Select * from Win32_Service Where Name = '" & sService & "' or displayName = '" & sService & "'")
If colListOfServices.count > 0 Then
For Each objService In colListOfServices
objService.StopService()
wscript.Sleep 5000
objService.ChangeStartMode("Disabled")
wscript.Sleep 2000
objService.Delete()
Msgbox "The " & sService & " service has been removed or marked for deletion.", vbInformation, title
Next
Else
Msgbox "The " & sService & " service was not found.", vbInformation, title
End If


Save the file to your desktop as remsvc.vbs and close Notepad. Locate the remsvc.vbs file on your desktop and double-click on it to run it. Click the Ok button and wait for a messge box saying the service has been removed or marked for deletion.

Now rerun the remsvc.vbs file for each of the services listed below. Copy/paste the service name into the editbox before clicking the Ok button:RpcPatch
RpcTftpd

Step #2

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #3

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):D:\WINDOWS\System32\wins\DLLHOST.EXE
D:\WINDOWS\System32\wins\svchost.exe
D:\WINDOWS\WinVid32.exe

Step #5

Start Hoster and click on the Restore Original Hosts button. Now, close Hoster.

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #6

Reboot normally and run at least 2 of the following on-line virus scans:Bitdefender <<<Add a check by 'Autoclean'.
RAV <<<Add a check by 'Autoclean', leave everything else as is.
eTrust <<<'Cure' whatever is found, then delete if unsuccessful
Housecall <<<Put on 'Autoclean' and delete what it can't clean.
Panda ActiveScan <<<Accept default settings
If there are any files that cannot be automatically disinfected or quarantined then you will need to delete them manually.

Step #7

If you do not already have Ad-Aware SE 1.06 then follow these download and setup instructions: Ad-Aware SE Setup. Otherwise, just check for updates.

Start Ad-aware SE, click the Start button and choose Perform Full System Scan. Click the Next button and wait for the scan to complete. If anything was found, right-click on the list and choose Select All and remove all it finds.

Step #8

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 04 October 2005 - 04:02 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:37:48 PM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\WINDOWS\system32\aimplugin.exe
D:\WINDOWS\system32\aimplugin.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O1 - Hosts: 127.0.2.5 www.symantec.com
O1 - Hosts: 127.0.2.5 symantec.com
O1 - Hosts: 127.0.2.5 securityresponse.symantec.com
O1 - Hosts: 127.0.2.5 sarc.com
O1 - Hosts: 127.0.2.5 www.sarc.com
O1 - Hosts: 127.0.2.5 www.sophos.com
O1 - Hosts: 127.0.2.5 sophos.com
O1 - Hosts: 127.0.2.5 www.mcafee.com
O1 - Hosts: 127.0.2.5 mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.2.5 www.viruslist.com
O1 - Hosts: 127.0.2.5 viruslist.com
O1 - Hosts: 127.0.2.5 f-secure.com
O1 - Hosts: 127.0.2.5 www.f-secure.com
O1 - Hosts: 127.0.2.5 f-prot.com
O1 - Hosts: 127.0.2.5 www.f-prot.com
O1 - Hosts: 127.0.2.5 kaspersky.com
O1 - Hosts: 127.0.2.5 kaspersky-labs.com
O1 - Hosts: 127.0.2.5 www.avp.com
O1 - Hosts: 127.0.2.5 avp.com
O1 - Hosts: 127.0.2.5 www.kaspersky.com
O1 - Hosts: 127.0.2.5 www.networkassociates.com
O1 - Hosts: 127.0.2.5 networkassociates.com
O1 - Hosts: 127.0.2.5 www.ca.com
O1 - Hosts: 127.0.2.5 ca.com
O1 - Hosts: 127.0.2.5 mast.mcafee.com
O1 - Hosts: 127.0.2.5 my-etrust.com
O1 - Hosts: 127.0.2.5 www.my-etrust.com
O1 - Hosts: 127.0.2.5 download.mcafee.com
O1 - Hosts: 127.0.2.5 dispatch.mcafee.com
O1 - Hosts: 127.0.2.5 secure.nai.com
O1 - Hosts: 127.0.2.5 nai.com
O1 - Hosts: 127.0.2.5 www.nai.com
O1 - Hosts: 127.0.2.5 vil.nai.com
O1 - Hosts: 127.0.2.5 update.symantec.com
O1 - Hosts: 127.0.2.5 updates.symantec.com
O1 - Hosts: 127.0.2.5 us.mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantec.com
O1 - Hosts: 127.0.2.5 customer.symantec.com
O1 - Hosts: 127.0.2.5 rads.mcafee.com
O1 - Hosts: 127.0.2.5 trendmicro.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 housecall.trendmicro.com
O1 - Hosts: 127.0.2.5 pandasoftware.com
O1 - Hosts: 127.0.2.5 www.pandasoftware.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 free.grisoft.com
O1 - Hosts: 127.0.2.5 www.grisoft.com
O1 - Hosts: 127.0.2.5 grisoft.com
O1 - Hosts: 127.0.2.5 clamav.net
O1 - Hosts: 127.0.2.5 www.clamav.net
O1 - Hosts: 127.0.2.5 free-av.com
O1 - Hosts: 127.0.2.5 www.free-av.com
O1 - Hosts: 127.0.2.5 www.avast.com
O1 - Hosts: 127.0.2.5 avast.com
O1 - Hosts: 127.0.2.5 cert.org
O1 - Hosts: 127.0.2.5 www.cert.org
O1 - Hosts: 127.0.2.5 www.microsoft.com
O1 - Hosts: 127.0.2.5 microsoft.com
O1 - Hosts: 127.0.2.5 www.virustotal.com
O1 - Hosts: 127.0.2.5 virustotal.com
O1 - Hosts: 127.0.2.5 update.microsoft.com
O1 - Hosts: 127.0.2.5 windowsupdate.microsoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - HKLM\..\RunServices: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - HKCU\..\Run: [Aim Plugin] D:\WINDOWS\system32\aimplugin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126279061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126279107890
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
================================================
g'day Mr. Timer!

Thanks for casting your sage eye my way - as you might have guessed,
"stuff" did happen!

Here is the list of results/notices appearing:

================================================
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step1- running the file: "remsvc.vbs" auto-removed "Windows 32Bit Drivers"
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step4- the DLLHOST.exe & svchost.exe files were indeed gone.
-the WinVid32.exe was found & 'killed'.
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step5- clicking on "Restore Orig. Hosts" button would not work until the
"Make Hosts Writable" button was engaged (changing it from
"Hosts File marked as Read Only")
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step6- normal reboot resulted in the following notices:

1] AVG Resident Shield 'Virus Detected' notice stating:
"Trojan horse Generic.GM while opening D:\WINDOWS\system32\rdriv.sys"

2] notice that the 32Bit Drivers had been blocked.
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re "Run at least 2 of the following on-line virus scans":
--------
1> "BitDefender" run (www.bitdefender.com/scan8/ie.html)

> Activex control DL'd: Bitdefender online scanner v8 (softwin)
...notice appeared warning that "D:|WINDOWS|bdoscandel.exe" was
attempting to install (a 'search' proved it to be for the most part
harmless. Although all sites prompted for its removal - there were
no warnings specific to it so it was allowed)

> No 'Autoclean' function was apparent. Settings were opened & the
following defaults were noted/used:
"Scan Boot Sectors" -- "Scan Files" -- "Use Heuristic Detection"--
"Detect Incomplete Virus Bodies" -- "Disinfect" -- "Second Action".

> <note- I'm not sure this is normal, but all sub-folders throughout the
process appeared without any text on the tabs or buttons>

> During the scan the process 'crashed'. (FYI- the folder 'up' at the time
was an old folder that has been scanned for approx. 1year)

- the following information was onscreen at the time:
D:\f131439.exe backdoor.sdb...
D:\f164285.exe backdoor.sdb...
D:\System Volume Information\-restore{F2B64500-E7A9-4AE1-AEC0...
D:\System Volume Information\-restore{F2B64500-E7A9-4AE1-AEC0...
D:\System Volume Information\-restore{F2B64500-E7A9-4AE1-AEC0...

- message displayed on crash: "IE encountered a problem & must close"
- the Techn.Info file included the following:
=exception info- 0xc0000005
=flags - 0x00000000
=record - 0x0000000000000000
=address - 0x000000000204lbe6
...finishing with modules 1-89 & threads 1-10
(thread 10 included memory ranges 1 thru 20)

- the 'error report' also incl. the following info:
=file - oscan8.ocx
=co. name - (not verified) SOFTWIN
=description - bitdefender online scanner
=applic.name - iexplore.exe AppVer6.02900.2180
=mod name - oscan8.ocx
=mod ver - 1.0.0.1
=offset - 00011be6
--------
2> "RAV" run.

> Activex control DL'd: rav antivirus online scan (GeCad software SRL)

> 1h.02m scan run - nothing found/no action taken.

> AVG Resident Shield 'Virus Detected' notice appeared onscreen
while scanning "D:\WINDOWS\system32" stating:
"Trojan horse Generic.GM while opening D:\WINDOWS\system32\rdriv.sys"
--------
3> Trendmicro "Housecall" run. ("complete" scan of all H.D.'s)

> Activex control DL'd: "xscan60.cab"

> Results: "found" & "removed":
=3 viruses: D:\WINSOWS\WinVid32.exe = worm SDBOT.CII
D:\f162701.exe = worm SDBOT.CII
D:\f46728.exe = worm SDBOT.CII
=1 worm/trojan JS FORTNIGHT.M (javascript-encrypted)
=1 spyware COOKIE 2250 (default was "PASS" = passed)
="No Vulnerability"

> AVG Resident Shield 'Virus Detected' notice appeared onscreen
while scanning "D:\WINDOWS\system32" stating:
"Trojan horse Generic.GM while opening
D:\WINDOWS\system32\rdriv.sys"
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step7- AdAware SE 1.06 was downloaded/run
(originally located on my crashed HD)

> Results: "found" & "removed":
= 6 tracking cookies - dataminers (iecache)
=1 coulomb dialer
-type - file
-data - groove.x32
-TAC rating - 5
-category - dialer
(D:\Documents&Settings\ApplicData\macromedia\Shockwave
Player\xtras\download\the groove alliance\3DGrooveXtrav181)
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
re step8- AVG Resident Shield 'Virus Detected' notice appeared onscreen:
"Trojan horse Generic.GM while opening
D:\WINDOWS\system32\rdriv.sys"
-------- -------- -------- -------- -------- -------- -------- -------- -------- --------
================================================
Phew!
... and how was your day?

-greg ('young geezer')

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 04 October 2005 - 08:27 AM

Hi gkb. The Hosts file still appears to have a problem. Let's try this.

Download and install the trial version of the ewido security suite. Update the program and then close it. Do not run it yet.

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Start ewido and do the following:
  • Click on the Scanner button.
  • Click on the Complete System Scan.
  • If anything is found you will be prompted to clean the first infected file found. Choose Clean and put a checkmark in the checkbox for Perform action on all infections and click the Ok button to continue the scan.
  • When the scan is complete close ewido and reboot the computer normally.
Start Hoster and click on the Restore Original Hosts button. Now, close Hoster.

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 06 October 2005 - 02:17 AM

Logfile of HijackThis v1.99.1
Scan saved at 1:42:03 PM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:WINDOWSSystem32smss.exe
D:WINDOWSsystem32winlogon.exe
D:WINDOWSsystem32services.exe
D:WINDOWSsystem32lsass.exe
D:WINDOWSsystem32svchost.exe
D:WINDOWSSystem32svchost.exe
D:WINDOWSExplorer.EXE
D:WINDOWSsystem32spoolsv.exe
D:PROGRA~1GrisoftAVGFRE~1avgcc.exe
D:PROGRA~1GrisoftAVGFRE~1avgemc.exe
D:Program FilesMicrosoft AntiSpywaregcasServ.exe
D:MuSiC + DL programswinamp 5-1Winampwinampa.exe
D:Program FilesJavajre1.5.0_04injusched.exe
D:WINDOWSsystem32aimplugin.exe
D:WINDOWSsystem32aimplugin.exe
D:Program FilesAdobeAcrobat 7.0Reader
eader_sl.exe
D:Program FilesMessengermsmsgs.exe
D:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
D:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
D:virus n spyware crapewido security suite (latest)security suiteewidoctrl.exe
D:virus n spyware crapewido security suite (latest)security suiteewidoguard.exe
D:WINDOWSSystem32svchost.exe
D:Program FilesMicrosoft AntiSpywaregcasDtServ.exe
D:hijack thisHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.yahoo.com/
O1 - Hosts: 127.0.2.5 www.symantec.com
O1 - Hosts: 127.0.2.5 symantec.com
O1 - Hosts: 127.0.2.5 securityresponse.symantec.com
O1 - Hosts: 127.0.2.5 sarc.com
O1 - Hosts: 127.0.2.5 www.sarc.com
O1 - Hosts: 127.0.2.5 www.sophos.com
O1 - Hosts: 127.0.2.5 sophos.com
O1 - Hosts: 127.0.2.5 www.mcafee.com
O1 - Hosts: 127.0.2.5 mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantecliveupdate.com
O1 - Hosts: 127.0.2.5 www.viruslist.com
O1 - Hosts: 127.0.2.5 viruslist.com
O1 - Hosts: 127.0.2.5 f-secure.com
O1 - Hosts: 127.0.2.5 www.f-secure.com
O1 - Hosts: 127.0.2.5 f-prot.com
O1 - Hosts: 127.0.2.5 www.f-prot.com
O1 - Hosts: 127.0.2.5 kaspersky.com
O1 - Hosts: 127.0.2.5 kaspersky-labs.com
O1 - Hosts: 127.0.2.5 www.avp.com
O1 - Hosts: 127.0.2.5 avp.com
O1 - Hosts: 127.0.2.5 www.kaspersky.com
O1 - Hosts: 127.0.2.5 www.networkassociates.com
O1 - Hosts: 127.0.2.5 networkassociates.com
O1 - Hosts: 127.0.2.5 www.ca.com
O1 - Hosts: 127.0.2.5 ca.com
O1 - Hosts: 127.0.2.5 mast.mcafee.com
O1 - Hosts: 127.0.2.5 my-etrust.com
O1 - Hosts: 127.0.2.5 www.my-etrust.com
O1 - Hosts: 127.0.2.5 download.mcafee.com
O1 - Hosts: 127.0.2.5 dispatch.mcafee.com
O1 - Hosts: 127.0.2.5 secure.nai.com
O1 - Hosts: 127.0.2.5 nai.com
O1 - Hosts: 127.0.2.5 www.nai.com
O1 - Hosts: 127.0.2.5 vil.nai.com
O1 - Hosts: 127.0.2.5 update.symantec.com
O1 - Hosts: 127.0.2.5 updates.symantec.com
O1 - Hosts: 127.0.2.5 us.mcafee.com
O1 - Hosts: 127.0.2.5 liveupdate.symantec.com
O1 - Hosts: 127.0.2.5 customer.symantec.com
O1 - Hosts: 127.0.2.5 rads.mcafee.com
O1 - Hosts: 127.0.2.5 trendmicro.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 housecall.trendmicro.com
O1 - Hosts: 127.0.2.5 pandasoftware.com
O1 - Hosts: 127.0.2.5 www.pandasoftware.com
O1 - Hosts: 127.0.2.5 www.trendmicro.com
O1 - Hosts: 127.0.2.5 free.grisoft.com
O1 - Hosts: 127.0.2.5 www.grisoft.com
O1 - Hosts: 127.0.2.5 grisoft.com
O1 - Hosts: 127.0.2.5 clamav.net
O1 - Hosts: 127.0.2.5 www.clamav.net
O1 - Hosts: 127.0.2.5 free-av.com
O1 - Hosts: 127.0.2.5 www.free-av.com
O1 - Hosts: 127.0.2.5 www.avast.com
O1 - Hosts: 127.0.2.5 avast.com
O1 - Hosts: 127.0.2.5 cert.org
O1 - Hosts: 127.0.2.5 www.cert.org
O1 - Hosts: 127.0.2.5 www.microsoft.com
O1 - Hosts: 127.0.2.5 microsoft.com
O1 - Hosts: 127.0.2.5 www.virustotal.com
O1 - Hosts: 127.0.2.5 virustotal.com
O1 - Hosts: 127.0.2.5 update.microsoft.com
O1 - Hosts: 127.0.2.5 windowsupdate.microsoft.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O4 - HKLM..Run: [AVG7_CC] D:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKLM..Run: [AVG7_EMC] D:PROGRA~1GrisoftAVGFRE~1avgemc.exe
O4 - HKLM..Run: [gcasServ] "D:Program FilesMicrosoft AntiSpywaregcasServ.exe"
O4 - HKLM..Run: [WinampAgent] D:MuSiC + DL programswinamp 5-1Winampwinampa.exe
O4 - HKLM..Run: [SunJavaUpdateSched] D:Program FilesJavajre1.5.0_04injusched.exe
O4 - HKLM..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKLM..RunServices: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKCU..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:Program FilesAdobeAcrobat 7.0Reader
eader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:Program FilesJavajre1.5.0_04in
pjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:Program FilesJavajre1.5.0_04in
pjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%doscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%doscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:Program FilesMessengermsmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1126279061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1126279107890
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:PROGRA~1MSNMES~1msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:virus n spyware crapewido security suite (latest)security suiteewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:virus n spyware crapewido security suite (latest)security suiteewidoguard.exe

=====================================================

hey OT...
We gotta stop meeting like this!

OK, here's the birds-eye-lowdown on round two:

ewido installed & updated... waited until next morning & ran in safe mode.

Results: 80% of the text was missing, but i managed to stumble my way
through without causing further damage.

On selecting ("Scan") I got the following notice:
"Lost Auto-protection & all Additional Filters" , then providing info on how to
register the software. Hmmm... 14 days passed in one single night???
A reboot back in normally and a second run through the software proved that NOT to be the case, so I repeated the 'safe mode' attempt a 2nd time - successfully.
(Still with the 80% loss of legibility tho!)

ewido found and quarantined the following:

1-File:
D:Docs&SettgsAllUsersApplicsSecTaskManexplorerl.exe.q_8056801_q
-infection: Backdoor.Bifrose.d
-threat: high

2-File:
..:mozilla.9:D:Docs&SettgsgregApplicsMozillaFirefoxProfi...oexhw..coo...
-Infection: Spyware.cookie.Atdmt
-Threat: med

3-File: D:Docs&SettgsGregCookiesgreg@atdmt[2].txt
-Infection: Spyware.cookie.Atdmt
-Threat: Med

4-File: D:Docs&SettgsGregCookiesgreg@mediaplex[11].txt
-Infection: Spyware.Cookie.Mediaplex
-Threat: Medium

5-File: D:WINDOWSDownloaded Program Filespopcaploader.dll
-Infection: Not-A-Virus.Pornware.PopCap.b
-Threat: High

6-File: D:WINDOWSsystem32
driv.sys
Infection: trojan
Threat: High

Of course each & every time I've rebooted since STILL 'pops' the "AVG Res.Shield notice" that "Trojan horse Generic.GM" was found "while opening:

DWINDOWSsystem32
driv.sys"

-ditto on the notice of WinVid32.exe being blocked.

end of fun round 2!
-greg

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 06 October 2005 - 06:58 AM

Hi gkb. Ok, let's try this. Please print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):D:\WINDOWS\system32\aimplugin.exe
Step #3

Start Hoster. If the top button on the left says Make Hosts Writable then click on that button to make the Hosts file editable. Click on the Restore Original Hosts button. Now, close Hoster.

Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:O4 - HKLM..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKLM..RunServices: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe
O4 - HKCU..Run: [Aim Plugin] D:WINDOWSsystem32aimplugin.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#10 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 06 October 2005 - 03:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:56:19 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Microsoft AntiSpyware\gcasServ.exe
D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\virus n spyware crap\ewido security suite (latest)\security suite\ewidoctrl.exe
D:\virus n spyware crap\ewido security suite (latest)\security suite\ewidoguard.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1126279061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1126279107890
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) -

http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\virus n spyware crap\ewido security suite

(latest)\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\virus n spyware crap\ewido security suite

(latest)\security suite\ewidoguard.exe

================================================
Wow, this time around there's no AVG Shield pop-up warnings!!!!
On the other hand - there's no notice that 'WinVid32' continues to be blocked as per previous instructions either!!!(?)
Nothing out of the ordinary to report, save for attempts to open files (or the internet) takes several attempts before the action actually takes 'hold' and responds (the same goes for hilighting text for copying).

Of course everything also runs in 'molasses' mode! If this indeed did the trick, please advise which programs could be safely deleted to get some of that speed back.
Thanks so much for you continued input O.T. ...your karma points surely must be off the register! :thumbsup:

regards,
greg

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 10 October 2005 - 06:24 AM

Hi gkb. The log looks clean. Let's try a couple of other things and run a different scanner to make sure that we have it all.

First, download WinPFind.zip and unzip the contents to the C:\ folder. Don't run it yet.

Next, download the latest Avast Home Edition but do not install it yet.

Now, physically remove the internet connection cable (dial-up or dsl or cable) and uninstall AVG, MS AntiSpyware and Ewido. Reboot and reinstall AVG. Reconnect the internet connection cable, update AVG and do a full system scan.

Now start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the c:\winpfind\winpfind.exe file and double-click it to run it. Now click the Start Scan button to begin the scan.

When the scan is complete reboot normally and post the WinPFind.txt file (located in the WinPFind folder) back here along with a new HijackThis log and I will review the information when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 16 October 2005 - 04:19 PM

G'day Mr. O-Ti'

Sorry for delays - this is the 1st chance since to check back for a reply. We are in the final stages of moving out of the country, so things have been difficult at best to find some space! Hopefully i have followed your instructions faithfully. There is someone coming in tomorrow to add a new HD and a running op-sys so that I can remove my H.D.s /files for transport. The remainder will be staying with my son.

Re: avg uninstall ... after rebooting, the attempt to re-install it was not possible. Hopefully this is what you had in mind. It was then only possible to re-install after the internet cable was hooked back up again, after which the updates were then also downloaded.
The attempt to run the "winpfind.exe" ended up in a very long stall with the top banner reading "not responding" (I should note that there were two identical windows open /displaying the same information within and re: "not responding"). A 2nd attempt proved
successful and is attached below.

Oh yeah... I should also mention that my ability to copy & paste is almost completely gone!!!!? Par for the course?

Thanks again for your consideration in this monstrosity of a situation...

regards,
greg
================================================================

current WinPFind Log-------------------------------------------------------------------------------------------

Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...
UPX! 9/13/2005 8:34:24 PM 28160 D:\rmelknt.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Items found in D:\WINDOWS\HOSTS

PECompact2 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\lpt$vpn.869
qoologic 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\lpt$vpn.869
SAHAgent 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\lpt$vpn.869
UPX! 5/3/2005 11:44:44 AM 25157 D:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 D:\WINDOWS\tsc.exe
PECompact2 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\VPTNFILE.869
qoologic 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\VPTNFILE.869
SAHAgent 10/2/2005 2:01:36 PM 15988639 D:\WINDOWS\VPTNFILE.869
UPX! 2/18/2005 6:40:14 PM 1044560 D:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 D:\WINDOWS\vsapi32.dll

Checking %System% folder...
UPX! 7/9/2005 3:03:06 AM 433152 D:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2 8/23/2001 6:00:00 AM 41397 D:\WINDOWS\SYSTEM32\dfrg.msc
PTech 8/29/2005 1:27:12 PM 520968 D:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 9:08:28 PM 1997664 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:08:28 PM 1997664 D:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 1:56:36 AM 708096 D:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 1:56:44 AM 657920 D:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 6:00:00 AM 1309184 D:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
UPX! 10/16/2005 12:18:22 PM 726016 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 10/16/2005 12:18:22 PM 726016 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PEC2 10/16/2005 12:18:22 PM 726016 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
aspack 10/16/2005 12:18:22 PM 726016 D:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/3/2004 11:41:38 PM 1309184 D:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in D:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/16/2005 1:51:30 PM S 2048 D:\WINDOWS\bootstat.dat
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\WindowsShell.Manifest
10/5/2005 10:07:24 PM RHS 238292 D:\WINDOWS\WinVid32.exe
9/12/2005 9:02:54 AM RHS 227 D:\WINDOWS\assembly\Desktop.ini
9/9/2005 12:26:34 PM S 64 D:\WINDOWS\CSC\00000001
9/9/2005 12:21:18 PM S 64 D:\WINDOWS\CSC\00000002
9/9/2005 8:52:46 AM H 65 D:\WINDOWS\Downloaded Program Files\desktop.ini
9/9/2005 8:54:16 AM HS 67 D:\WINDOWS\Fonts\desktop.ini
9/19/2005 10:46:14 PM H 10820 D:\WINDOWS\Help\update.GID
9/9/2005 9:18:06 AM H 0 D:\WINDOWS\inf\oem0.inf
9/9/2005 11:35:06 AM H 0 D:\WINDOWS\inf\oem1.inf
9/9/2005 8:52:46 AM H 65 D:\WINDOWS\Offline Web Pages\desktop.ini
9/9/2005 8:53:28 AM RHS 242478 D:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
9/9/2005 8:53:28 AM RHS 19959 D:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
9/9/2005 8:53:28 AM RHS 727 D:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
9/9/2005 11:12:46 AM RHS 305145 D:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_5.cab
9/9/2005 11:15:04 AM RHS 68327 D:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_6.cab
9/9/2005 8:55:08 AM H 237568 D:\WINDOWS\repair\ntuser.dat
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\system32\cdplayer.exe.manifest
9/9/2005 8:52:46 AM RH 488 D:\WINDOWS\system32\logonui.exe.manifest
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\system32\ncpa.cpl.manifest
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\system32\nwc.cpl.manifest
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\system32\sapi.cpl.manifest
9/9/2005 8:52:46 AM RH 488 D:\WINDOWS\system32\WindowsLogon.manifest
9/9/2005 8:52:30 AM RH 749 D:\WINDOWS\system32\wuaucpl.cpl.manifest
10/16/2005 1:51:26 PM H 8192 D:\WINDOWS\system32\config\default.LOG
10/16/2005 1:51:54 PM H 1024 D:\WINDOWS\system32\config\SAM.LOG
10/16/2005 1:51:32 PM H 12288 D:\WINDOWS\system32\config\SECURITY.LOG
10/16/2005 2:13:08 PM H 65536 D:\WINDOWS\system32\config\software.LOG
10/16/2005 1:51:34 PM H 790528 D:\WINDOWS\system32\config\system.LOG
9/9/2005 2:34:40 AM H 1024 D:\WINDOWS\system32\config\TempKey.LOG
9/9/2005 2:34:40 AM H 1024 D:\WINDOWS\system32\config\userdiff.LOG
9/24/2005 4:13:20 PM H 1024 D:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
9/9/2005 2:38:00 AM HS 62 D:\WINDOWS\system32\config\systemprofile\Application Data\desktop.ini
9/9/2005 2:38:00 AM HS 62 D:\WINDOWS\system32\config\systemprofile\Local Settings\desktop.ini
9/9/2005 8:49:48 AM HS 113 D:\WINDOWS\system32\config\systemprofile\Local Settings\History\desktop.ini
9/9/2005 8:49:48 AM HS 113 D:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8JESJVDQ\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\EGOLBW0K\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IUVSUPHR\desktop.ini
9/9/2005 8:49:48 AM HS 67 D:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\IYBEDWKE\desktop.ini
9/9/2005 8:52:50 AM HS 181 D:\WINDOWS\system32\config\systemprofile\SendTo\desktop.ini
9/9/2005 2:38:00 AM HS 62 D:\WINDOWS\system32\config\systemprofile\Start Menu\desktop.ini
9/9/2005 8:55:06 AM HS 206 D:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\desktop.ini
9/9/2005 8:55:06 AM HS 482 D:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
9/9/2005 8:55:06 AM HS 348 D:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
9/9/2005 8:55:06 AM HS 84 D:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
9/9/2005 8:55:06 AM HS 84 D:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
9/12/2005 8:43:36 AM HS 388 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\223406f2-89be-4f4d-82bd-caf27bf13c2b
9/12/2005 8:43:38 AM HS 24 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
9/9/2005 11:33:48 AM HS 388 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\2e1cada6-f7ee-4ba5-adc0-b40167a704b4
9/9/2005 11:33:48 AM HS 24 D:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/16/2005 1:50:44 PM H 6 D:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 D:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 549888 D:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 110592 D:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 135168 D:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 80384 D:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 155136 D:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 358400 D:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 129536 D:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 380416 D:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 68608 D:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 6/3/2005 3:52:54 AM 49265 D:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 187904 D:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 618496 D:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 35840 D:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 25600 D:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 257024 D:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 36864 D:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 32768 D:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 114688 D:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 298496 D:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 28160 D:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 94208 D:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 1:56:58 AM 148480 D:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 D:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 187904 D:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 35840 D:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 36864 D:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 6:00:00 AM 28160 D:\WINDOWS\SYSTEM32\dllcache\telephon.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/12/2005 9:34:44 PM 1767 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/9/2005 8:55:06 AM HS 84 D:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/9/2005 2:38:00 AM HS 62 D:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/9/2005 8:55:06 AM HS 84 D:\Documents and Settings\Greg\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/12/2005 9:33:18 PM 697 D:\Documents and Settings\Greg\Application Data\AdobeDLM.log
9/9/2005 2:38:00 AM HS 62 D:\Documents and Settings\Greg\Application Data\desktop.ini
9/12/2005 9:21:08 PM 0 D:\Documents and Settings\Greg\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = D:\Program Files\WinAce\arcext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = D:\Program Files\Grisoft\AVG Free\avgse.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ZFAdd
{8FF88D27-7BD0-11D1-BFB7-00AA00262A11} = D:\Program Files\WinAce\arcext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : D:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WinampAgent D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
SunJavaUpdateSched D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
TkBellExe "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
AVG7_CC D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = D:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = D:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = D:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/16/2005 2:24:43 PM




==================================================
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
==================================================

current HiJackThis Log----------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 2:51:12 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WinampAgent] D:\MuSiC + DL programs\winamp 5-1\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

D:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file

missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...b?1126279061809
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...b?1126279107890
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) -

http://www.rav.ro/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -

http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) -

http://runonce.msn.com/setacceptlang.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) -

http://by105fd.bay105.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

============================================================fini

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:11:57 PM

Posted 18 October 2005 - 07:43 AM

Hi gkb. These 2 logs look pretty good. Just one file to delete yet and then we can do a final cleanup.

I don't know what you mean regarding the copy/paste. Give me some more details regarding what is happening with that and I'll look into that.

Ok, find the following files/folders and delete them (don't worry if they are already gone):D:\WINDOWS\WinVid32.exe
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode reboot normally.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
  • CHECK the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)
  • Turn off System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • CHECK Turn off System Restore.
    • Click Apply, and then click OK.
  • Restart your computer.
  • Turn ON System Restore.
    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check Turn off System Restore.
    • Click Apply, and then click OK.
System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You already have a good anti-virus, and you should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit Microsoft Windows Update monthly. Microsoft puts out new updates on the 2nd Tuesday of every month so be sure to check regularly.

And to keep your system clean be aware of what emails you open, what websites you visit, and update and run these free malware scanners once a week:To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 gkb

gkb
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 22 October 2005 - 04:15 PM

good day sir...
I tried my best to get this business tied up before moving but alas... it was not possible. As things stand now I have ghosted all of my drives onto a 300g'er and am transporting it with me to N.Z. where, upon finding a suitable new recepticle, will salvage all files and try to interpret this stuff one last time so i can translate if to my son (the inheritor of the box-o-mess!). Again thanks for your continued support - things are never easy eh?

regards greg




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users